Online classifieds site Gumtree suffered an attack on its site last weekend in which attackers used a vulnerability in the site to make off with names, email addresses and phone numbers of Gumtree account holders.
The eBay-owned site began notifying affected customers of the security incident this morning.
It said while personal details of "some" Gumtree users were accessed, account passwords and payment details had not been compromised as the company uses a third-party gateway for payments and does not store the information on the site.
Gumtree said the stolen contact names and phone numbers had already been made publicly available on the site by affected account holders.
It claimed the "isolated" incident was resolved "within minutes" of discovery.
Gumtree did not detail how many users were affected by the breach. It said the incident impacted "only a portion of the email addresses we hold".
It said it had notified the Australian Federal Police of the incident as well as the Australian Privacy Commissioner.
Gumtree declined to comment on the cause of the attack but said attackers had exploited an "unknown" vulnerability.
"The security audit didn’t identify any further vulnerabilities with the system. We have, and will continue to, implement extra steps to make it harder for fraudsters to target Gumtree’s users," a spokesperson said.
It had indicated in its communication to users that the breach had stemmed from a phishing attack.
The Coalition government is currently preparing to introduce its bill for mandatory notifications of data breach into parliament. The bill is unlikely to be passed before the expected July 2 federal election.
Late last month security firm Malwarebytes revealed criminals had used Gumtree to spread malware through online display ads.
The attackers tricked an online ad network into sending out banner ads through Gumtree that attempted to lead Australian visitors to a site hosting the Angler exploit kit. Gumtree.com.au has over 45 million visits per month.
More to come