Fitness website PayAsUGym has confirmed one of its servers has been hacked.
The company, which sells passes for gyms around the UK, acknowledged that 300,000 email addresses and passwords of its members had been accessed on Thursday.
The website said it did not hold financial or credit card details of its users on its servers.
Customers have been advised to change their passwords and the company has also migrated to new servers.
PayAsUGym alerted its members to the security breach in an email on Friday which said “one of the company’s IT servers was accessed by an unauthorised person”.
It went on: “Although we do not hold any financial or credit card information, the unauthorised person could have accessed the e-mail address and password of our customers.
“Passwords are encrypted when saved in the database, nevertheless I would encourage you to change your password.”
‘More frequent’ attacks
Several customers’ email addresses and passwords appear to have been published online.
PayAsUGym said once it was alerted, it “closed down” the breach and contacted the police.
It has also started using new servers after speaking with cybersecurity professionals.
The website uses a “tokenised system” for customer payments which, it says, means card details are stored at the payment gateway – not on its servers.
“This is the highest level of security process for dealing with payments,” it said.
PayAsUGym added: “We take the security of customer information very seriously. Unfortunately cyber attacks are becoming more frequent which is why, as a policy, we do not (and will never) hold financial or credit card details and we insist that all passwords are encrypted when stored.”