A British rail operator has reset more than a million customer accounts after discovering hackers had successfully breached a small percentage of them.
Great Western Railway said that about 1,000 of its passengers' details had been exposed.
The business - which runs trains between London, Penzance and Worcester - is part of the transport operator FirstGroup.
It said all bank information had been protected by encryption.
"We have identified unauthorised automated attempts to access a small number of GWR.com accounts over the past week," a spokesman told the BBC.
"While we were able to shut this activity down quickly and contact those affected, a small proportion of accounts were successfully accessed.
"The success rate of the automated logins was extremely low, suggesting any passwords used were likely harvested elsewhere," the company added.
The firm added that the decision to reset all customer accounts had been taken as a precautionary step.
Some recipients of the alert had questioned if it was real, as the email address it had been sent from seemed unusual.
Allow Twitter content?
One cyber-security expert said the incident served as a reminder that people should use a different, complex password for each online service they used.
"In the wake of large data breaches, we often see large caches of credentials go on sale on the dark web," commented Rashmi Knowles from RSA Security.
"Hackers know that consumers use the same passwords for multiple accounts, and that these credentials will open doors into emails, banks, or in this case railway accounts.
"I would suspect that is what is happening here, and that GWR accounts have been accessed by people trying their luck with stolen credentials," said Ms Knowles.