Australian ecommerce site Catch of the Day has revealed it suffered a security breach three years ago after it sent an email advising customers to change their passwords.
In early 2011, hackers stole names, delivery addresses, email addresses, hashed passwords and even some credit card details from the firm, which contacted police and banks at the time.
Jason Rudy, executive GM at Catch Group, said: "We unreservedly apologise to our customers for this incident.
"We take data security seriously and have taken strong measures to protect their personal information."
The company said that they were informing users of the breach because technology advances might have put the hashed passwords at risk, and advised those who had not changed their password since May 7 2011 to do so.
It added that it had informed the office of the Australian information commissioner, which was not made privy to the breach at the time it occurred.
The Labor opposition has previously criticised the incumbent coalition for stalling legislation that would oblige companies and government bodies to inform customers when privacy had been breached.
Tim Keanini, CTO of security firm Lancope, told Forbes the lag in disclosure was "a ridiculous amount of time".
"If these users are still using the same passwords for the past three to four years, we have even bigger problems," he added.