The Racing Post newspaper has admitted it was the victim of a "sophisticated, sustained and aggressive attack," which saw hackers steal the names and passwords of its users.
A newspaper dedicated to horse and greyhound racing, as well as other sport betting, sent an email to all affected users, urging them to reset their password and ensure the password used for Racing Post is no longer used for any other website or online service.
In a statement published on its website, Racing Post said: "Our site was the subject of a sophisticated, sustained and aggressive attack on Friday and Saturday [22, 23 November], in which one of our databases was accessed and customer details were stolen."
Although the amount of data stolen will vary from user to user, it could include: "usernames, first and last names, encrypted passwords, email and customer addresses and date of birth." Racing Post confirms no credit or debit card details have been stolen, as these are stored by the site's third party bookmakers.
Stringent new measures
Racing Post claims: "Stringent new measures are being put in place to prevent a repeat of the security breach...customers have been advised by email that they should take the precaution of changing their password on other sites if it is the same one that they use for racingpost.com."
Although the statement says "passwords are encrypted," no details about the nature of encryption used to protect them is given - such as whether they were salted and hashed to prevent them from being easily decrypted by the hackers.
In an email sent to affected users, as posted on BetFair's forum, Racing Post says: "Although all the passwords are encrypted, we believe that there is still a chance that some passwords can be deciphered. As yours is one of the accounts involved, there is a risk of identity theft."
Bruce Millington, editor of the newspaper, said: "Security is an area we take extremely seriously and our website has not been compromised previously. As soon as we were aware of the situation we did everything in our power to halt the breach."
While the attack is investigated, Racing Post has removed the ability to register and sign in to the site, although Members' Club content is still available.
Millington added: "We are extremely sorry that this unfortunate incident has occurred. We believe it may be part of a wider attack on a number of companies. We thank you for your patience and understanding."
Craft targeted attack
Commenting on the incident in a blog post, security expert Graham Cluley said: "It's not just passwords that have been exposed by this security breach. Users' names, email addresses, and date of births (among other information) have also fallen into the hands of cybercriminals.
"It is easy to imagine how malicious attackers could craft a targeted attack against readers of the Racing Post, using that information to create carefully crafted emails designed to infect their computers or phish other information from them. Be on your guard."