The Racing Post is advising users of its website to change their passwords for other sites if they use the same one in case hackers break the encryption.
The company has promised to adopt "stringent" new measures to prevent a repeat of the weekend security breach on its website racingpost.com.
The Racing Post said its website was hit by a "sophisticated, sustained and aggressive" attack that compromised a database containing customer details including usernames and encrypted passwords.
The company said the risk will vary according to how much information users gave when they registered, but that no credit or debit card details are at risk.
“Betting through the site with our partner bookmakers has at all times been unaffected as this activity takes place directly with the bookmaker,” the company said in a statement on its website.
The Racing Post said it has turned off the ability to register or login to racingpost.com, making the site safe to use.
Read more on encryption
Racing Post editor Bruce Millington the attack may be part of a wider attack on a number of companies.
Lloyd Brough, cyber incident response director at information assurance firm NCC Group, said the attack appears to be a common web application vulnerability that was exploited to compromise the database.
“While it is positive Racing Post has been quick to disclose the breach, providing further technical details on what type of 'encryption' was used for the passwords would have helped further inform technical users,” he said.
“If this is the case then it is little better than using unencrypted password due to the trivial nature of recovering them,” he said.