Second-hand gadget and video games retailer Cex has said up to two million customers have had their data stolen in an online breach.
The company said the stolen data included customers' names, addresses, email addresses, phone numbers and some old credit card information.
It has urged customers to change their password, especially if they reused their Cex password on other websites.
The company said it was working with the police following the breach.
Cex has more than 300 stores in the UK where people can trade in gadgets and video games, and operates the webuy.com online marketplace.
It said an "unauthorised third party" had accessed online account holder data, but stressed that in-store data had not been affected.
Affected customers have been sent an email offering guidance.
The company said some encrypted credit card information had been compromised, but since the retailer stopped storing credit card information in 2009, those details were likely to have expired, making them useless to criminals.
"It's surprising that Cex still stored customer card details prior to 2009," said Javvad Malik from security firm AlienVault.
"One would struggle to think of a legitimate business reason for storing expired card details," he said.
In a statement, Cex said it had employed a cyber-security specialist to review its systems, to prevent a "sophisticated breach" from happening again.