Customers of Paddy Power and Betfair betting services have been warned to be on the lookout for fraud following a data breach that affected up to 800,000 users in the UK and Ireland.

The betting sites, owned by Dublin-based Flutter, said in an email to customers that an “unauthorised third party” had gained access to “limited betting account information” on some users.

Flutter had 4.2 million average monthly users across its four betting brands with $3.6 billion (£2.7bn) in annual revenues in its most recent financial year.

Data breach

It is the world’s biggest publicly listed betting company, with a market capitalisation of some $50.6bn.

The company said a full investigation was being undertaken to contain the breach and determine the scope of the information accessed.

External IT experts have been engaged to help with the probe and the data protection authorities in the UK and Ireland have been notified, Flutter UK and Ireland said.

A company representative said the firm believes the unauthorised access has been removed and the incident contained.

The data accessed includes usernames, email addresses and IP addresses, as well as some incidents in which physical address details were leaked.

An email to Betfair customers said the breach had included “details of some recent activity on your account” in addition to technical details such as the user’s device ID and IP address.

Spear phishing

“No passwords, ID documents or usable card or payment details were impacted,” a Flutter spokesperson said.

Silicon UK understands the breach was detected within the past four weeks.

The two betting sites warned that the data accessed by hackers could be used to craft highly targeted emails for the purposes of fraud, known as spear phishing attacks.