Nearly 450 islanders' data could have been breached in a hack on LibertyBus and CTPlus Guernsey's websites.
The Channel Islands bus operators fell victim to a phishing attack.
It intercepted the link between the main websites and top-up pages for the Avanchicard and Puffinpass.
A duplicate log-in page was created at some point after 29th April, asking users to fill in their email address or pass number and password.
It was shut down within hours of being discovered on 15th May.
LibertyBus says there is a 'limited risk of fraudulent activity',
"No credit/debit card details were accessed and at no point was the central databasen of Avanchicard holders compromised."
Emails have been sent to the 361 people in Jersey and 82 people in Guernsey possibly affected telling them their passwords have been automatically reset.
Investigations into how the attack happened are underway, and the Information Commissioner has been informed.
"LibertyBus is now working closely with the regulatory authorities and their suppliers to investigate how this incident occurred. They are also working hard to put measures in place to ensure that an incident of this nature does not happen again."
Any customers who are concerned should contact info@libertybus.je
The top-up section of the LibertyBus website will be unavailable at times in the coming weeks for testing and investigations. Customers are being asked to top-up at the Customer Services desk at Liberation Station.
£75,500 raised in Jersey Christmas Appeal Charity Auction
Government to announce support option for carers
Drink driving can cause 'life-changing' consequences
Parked cars damaged in Victoria Avenue crash
L'Ecume II: Lewis Carr jailed for 20 months for fatal collision at sea
Guernsey's former Chief Minister admits making indecent images of children
Minister approves 42 sheltered homes at nursing home
Jersey potato farm to be the site of Channel Islands' largest roof solar array
