Two million CeX customers have been told to change their passwords after the used-tech firm was hacked.

The company is warning that some personal data including names, addresses, emails and phone numbers could have been compromised – and encrypted data from expired credit and debit cards may also have been accessed.

CeX, which runs a chain of second-hand electronics shops and the website, is asking online customers to change their passwords, and if they use the same password for other online accounts to change it there as well.

For help on keeping your details secure online, see our 60 Seconds on Password Security guide.

What happened?

CeX says it was contacted by a "third party" this month which claimed to have some of its customers' data, following a hack at the end of 2016.

It began emailing customers who may have been affected about the security breach yesterday, as a precaution. CeX believes only its online customers' data has been compromised, and the information it holds on its members who sell and trade in items at its stores is safe.

A spokesperson said: "Late last year, we suffered what we believed to be a low-level breach in our online UK website security, along with a phishing attempt [ie, when a spam email is used to try to steal information]. It was swiftly identified and fixed, and we immediately put in place additional security measures. No further security breach has since taken place and we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data. 

"However, in August this year we received communication from a third party claiming to have access to some of our online UK website data from the security breach.

"We immediately informed the relevant authorities, including the Information Commissioner's Office and National Crime Agency who are in the process of investigating and our cybersecurity specialists have implemented additional, advanced security measures to prevent this from happening again."

Why do I need to change my password?

CeX's website says: "Although your password has not been stored in plain text [ie, readable text that could be used to compromise your account], if it is not particularly complex then it is possible that in time a third party could still determine your original password and could attempt to use it across other, unrelated services."

It says to change your password for its site, and any other sites where you use the same password.

If you've not received an email warning about the breach, CeX says your account has not been affected. But if you're worried, email

Should I be worried about my card details?

CeX says a "small amount" of encrypted data from expired credit and debit cards could have been compromised, but this would be out of date as it stopped storing financial data in 2009.

If you're worried, however, contact your bank for advice on what to do.