Budget airline Wizz Air has advised 3.4 million customers to change their passwords, amid growing fears the airline may have been the victim of a cyber-attack.
Customers were told on Friday to switch their old passwords on their accounts immediately and ensure that they were not using them elsewhere, triggering concerns over a potential personal data breach in the airline's systems.
Wizzair said the advice was due to a technical glitch in its systems and was not linked to a cyber attack.
Based in Budapest, the Hungarian airline offers over 600 routes from 25 cities in Central and Eastern Europe, and is a major player in Europe's low-cost air travel industry.
In a message, the company said: “We would like to inform you that we discovered some temporary technical irregularity in our system. After the detection we properly solved it, but in order to ensure the protection of your account we have taken the precautionary action to reset your password.
“For safety reasons, we kindly recommend you to avoid providing the previous passwords as new one, and to avoid using the same password in all websites where you register.”
The announcement sparked concern among customers, who feared the company may have suffered from a data breach.
Wizz Air customer Petar Todorov was told that his password had not been leaked, and that the message sent to him was a “precautionary measure for the protection of personal data of our customers”.
Another customer using the name Dr Massey Ferguson said on Twitter: "I assume this email for a password reset means you have been hacked. Should you not come clean under GDPR? It would be nice to know if my bank details have been lost."
A spokesperson for Wizz Air said: “We can confirm that we have sent an email to our customers about a detection of a temporary technical irregularity in our system.
“At no point was any personal data compromised and resetting the passwords on the WIZZ accounts was a precautionary action. Safety remains a priority for Wizz Air, and that includes the security of our passengers’ data.”
The company has not confirmed any further details about the technical irregularity.
Commenting on Wizz Air's actions, Charlie Wedin, partner at law firm Osborne Clarke, said: "An unintended implication, or any loose language, can sometimes raise more questions than the communication set out to address in the first instance.
"It is critical to be precise and succinct, to reassure where possible, and to provide the information required for the recipient to take any relevant steps to protect themselves.”
Richard Gold, director of security engineering at cyber security advisory company Digital Shadows, said that Wizz Air’s message to customers points to a likely internal mistake.
“Wizz Air have taken the right protective action in the form of password resets however they haven’t clearly communicated to the affected customers what the issue is and nobody, especially those affected, will be appreciative of the answer of ‘precautionary measures’,” he said.
“We advise that people who have re-used their Wizz Air password elsewhere, should probably reset that password and use unique passwords per-website using a password manager if possible to help.”
Airlines have become a high profile and profitable target for hackers. Last year, British Airways admitted that it had been hacked for two weeks and hundreds of thousands of customers' bank details were stolen. Last year, the personal data of 9.4m passengers was stolen in a cyber attack on Hong Kong airline Cathay Pacific.