The credit card details of 98,000 customers may have been compromised in a web hack branded as "horrifying" by a leading security analyst.
Bibliofind, a subsidiary of e-tailer Amazon, has been partially shut down after it was discovered that unknown individuals had been accessing customer information on its server between October 2000 and February 2001.
The breach came to light after the website was defaced last week. Bibliofind is still running the site but is not handling financial transactions and has removed customer details.
"The big question is why did it take so long for Bibliofind to discover it?" asked Richard Stagg, senior security architect at Information Risk Management.
He explained that the decision to remove customer details from the site after the breach was discovered amounted to "shutting the stable door after the horse had bolted", adding that the scale of the breach would shatter confidence in e-tailing.
Bibliofind spokesman Jim Courtovich said that the hack had been reported to the FBI, and that all 98,000 customers would be informed by email.
He added that there was no evidence that any credit card details had been misused, and that customers were being warned as a precautionary measure.
Amazon said that it runs its operation on a totally different system and was not affected.
Worried about data privacy? Here are several ways to secure your Facebook account
The ICO is seeking an urgent warrant to investigate a major data breach - everything you need to know as the story continues to unfold
Microsoft comes up with a new way to foist its unloved and little used Edge web browser on people