Video game retailer Cex has said up to two million customers have had their data stolen in an online breach and urged them to change their passwords.

The company buys and sells second-hand games, consoles and gadgets through its Cex-branded high street stores and webuy.com website.

It said customers' names, addresses, email addresses, phone numbers and encrypted data from expired credit and debit cards had been taken by "an unauthorised third party".

It clarified in a statement: “We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.” The company said it was working with the police following the breach and had notified affected customers through an email.

The statement continued: “We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you.

“Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services.

“As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.

“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats.

“Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes.

“Together we have implemented additional advanced measures of security to prevent this from happening again.

“If you have any questions, please don’t hesitate to email us at: guidance@webuy.com.

“If you do not receive an email, your account is not affected.”