As many as 6,600 customers of online contact lens shop Vision Direct are at risk of having their personal details, including financial information, stolen in a November data breach.

A total of 16,300 people were thought to be at risk of the breach, although 9,700 of those did not have any financial data compromised. For the 6,600 others though, information including payment card numbers, expiry dates and CVV codes could all have been accessed.

According to security researcher Troy Mursche the data theft was the result of a fake Google Analytics script. The retailer added that there was no risk of information being stolen from its database, and that the breach only impacted users who logged in to the website between certain dates.

Vision Direct said in a statement that customers who logged into the website or created a new account between 12.11am on 3 November and 12.52pm on 8 November could have been affected, and advised customers to contact their banks and credit card providers. Customers using PayPal were unaffected, but the Visa, Mastercard and Maestro methods were all at risk.

The retailer said that it is currently apologising to customers thought to be affected, and has notified the relevant authorities, as well as taking the “necessary steps” to prevent further data theft.