Thousands of Superdrug's online customers have been targeted by cyber criminals who claim to have obtained their personal details.
The company told customers to change their online passwords after hackers claimed to have stolen information on approximately 20,000 users, but the retailer said it has only seen evidence so far that 386 accounts have been hacked.
Names, addresses, and in some cases phone numbers and points balances may have been accessed but not payment card information.
But some customers complained they couldn't access the website to change their passwords as instructed.
I requested a password reset and I haven’t had the email. I keep trying but nothing is coming through?
— Jess (@jessgallery) August 21, 2018
I would be able to change my password but tried from 4 different devices and the website keeps giving me and internal server error. Not acceptable that I might have my details comprised and I can't change my password.— Ellen Auckland (@EllenA1997) August 21, 2018
Superdrug said it had informed the police as well as the UK's national fraud and cyber-crime arm, Action Fraud, about the issue.
The Information Commissioner's Office said it was aware of the incident and would be making enquiries.
In an email to customers, Superdrug said: "We were contacted by hackers who claimed they had obtained a number of our customers' online shopping information."
There is no evidence that Superdrug's systems have been compromised.
"We believe the hacker obtained customers' email addresses and passwords from other websites and then used those credentials to access accounts on our website," Superdrug's letter continued.
The company has apologised to customers.