Some 1,600 British Gas customers have been told their account number, name and email address may have been involved in a "breach of security" last month, after a "third party" got the login details from another website the affected customers use.
The energy giant hasn't fully explained what has happened, but says its own systems weren't breached, there's been no suspicious activity on the accounts and it's only alerted customers as a "precautionary measure".
It will be sending all affected customers a £20 cheque as a goodwill gesture, which it recommends is spent on a fraud protection service. Passwords have also been reset.
The Information Commissioner's Office told MoneySavingExpert.com it is aware of the incident and is looking into the details. If you're affected, you should now have received a letter explaining the situation, and the cheque will follow this.
See our 30+ Ways to Stop Scams guide for full help on how to keep yourself safe online.
How was the information taken?
British Gas says there was no breach of security on its own systems, but that the customers involved had their British Gas login details accessed by a third party from another site.
British Gas won't say which other site is involved, but it's understood to be a single website.
MoneySavingExpert was first informed about the problem after a British Gas customer, who asked not to be named, contacted us with the letter they were sent, as shown below:
'British Gas's systems were not breached'
A British Gas spokesperson said: "It is unfortunately a fact of modern life that login details can be stolen from various sources and then be shared via third-party websites, so every company and every individual with an online presence should prioritise online security.
"British Gas's systems were not breached, but 1,600 of our customers had their britishgas.co.uk login details accessed by a third party who got these details from another website the affected customers use.
"As soon as we discovered this we checked all the accounts and confirmed there was no suspicious activity on them. We also reset the passwords as a precaution.
"We wrote to all affected customers to advise and reassure them. To be clear, payment information cannot be accessed in this way; it is stored and encrypted separately. Like all responsible companies we take the security of our customers' data very seriously and advise them to use different login details for different websites."
An Information Commissioner's Office spokesperson said: "Organisations have a legal duty to keep people's personal data safe and secure.
"We have been made aware of an incident involving British Gas and are looking into the details."
How can I protect myself online?
The key to keeping your online accounts secure is to use a strong and, crucially, unique password for each. This can be tricky though, given the many different sites you may have a login for.
One option is to use different passwords and store them in a password manager – see our 60 seconds on password security guide for full info.
The handy website HaveIBeenPwned? ('pwned' is geek-speak for being made a fool of; it's pronounced 'poned') allows anyone to check if their accounts have been compromised in a number of recent known data breaches.