Hackers have stolen usernames and passwords of popular knitting website Ravelry after cracking a secondary server used for its blog site.
An attacker tried "various methods" to crack into the website and succeeded using a "weak link" on the blog server.
Ravelry said it had hired an information security consulting firm to run penetration tests against its systems, installed intrusion detection systems, and hardened its networks by removing unused software and services.
"As an example, the software we used to run our blog was not only completely re-installed, it was also moved to a separate web host to limit exposure in the future," the company said in a post.
"We are a tiny company with a small staff and only one engineer/programmer but we still take security very seriously."
It said passwords were encrypted and no financial information was lost.
Ravelry advised users to change passwords to their other accounts, if they used the same password to log in to multiple online services.
It also said users should consider using a password manager.
"We are deeply sorry that this has happened. We care very much about all of you and we never want something like this to happen again."