Travel details and email addresses of around nine million easyJet customers have been accessed through a "highly sophisticated" cyber hack, according to the airline.
In a statement on Tuesday, the budget carrier said the credit card details of a further 2,208 people had been accessed, but added there was "no evidence" of the data being misused.
Passport details are not believed to have been touched.
Those who have had their data accessed will be contacted in the next few days after a "forensic" investigation uncovered the breach.
They have been advised to "continue to be alert as they would normally be", but even more so if they should receive any unsolicited communications.
It encouraged extra caution to be given to any messages received that purport to be from easyJet or easyJet holidays.
- British Airways could be fined more than €200 million over data security breach
- EasyJet grounds entire fleet due to coronavirus pandemic
- Flybe collapses as COVID-19 triggers fall in airline bookings
The company's chief executive Johan Lundgren apologised for the incident in a brief statement, and said it highlighted the need for businesses to "stay agile to stay ahead of the threat."
He added: "Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams."
The National Cyber Security Centre and the Information Commissioner's Office (ICO) has been made aware of the breach, and advised for anyone affected to be contacted.
Adam French, a consumer rights expert at Which?, said it was "vital" that easyJet now provides clear information on the incident and gives support to those affected.
He added: "For anyone concerned they could be affected, it’s important to change your password with easyJet and other websites where you might use the same one - and keep a careful eye on bank accounts and credit reports.
"Also, be wary of emails or fake 'customer support' popping up on social media regarding the breach, as scammers may try to take advantage of it."
The hack comes at a bad time for the aviation industry, which has been gutted by the coronavirus pandemic.
UK-based easyJet has already made the decision to ground all its flights "until further notice" due to it becoming increasingly difficult to ensure the safety of passengers and crew.
The last large-scale data hack of a British airline was that of British Airways in 2018, when the data of hundreds of thousands of passengers were accessed.
It is now facing a possible £183m (€204m) fine.