A data breach of personal information connected with Air Canadas app may have included passport numbers and other sensitive details for thousands of customers, the airline has warned.

According to Air Canada, it detected unusual login activity between 22 and 24 August and as a result, decided to lock down all 1.7m customer accounts. It believes data may have been stolen from around 20,000 of these, and has informed customers belonging to this group via email. However, all customers using the app will have to reset their login details as a security precaution.

The firm has been criticised for its relatively weak password system, with online accounts requiring a password between six and 10 characters and not allowing symbols outside letters and numbers. The Canadian governments own cyber-security advice suggests passwords should include “at least one character that isnt a letter or number” and be at least eight characters long. Following the data breach, Air Canada has updated the app so that passwords must be at least 10 characters long and contain one symbol.

While the data breach is not thought to have compromised any credit card details, which are encrypted, basic profile data including names, email addresses and phone numbers may have been exposed, along with information like passport number, nationality, country of residence and birth date.

Security experts have warned that the theft of such information could pose a serious identity fraud risk. Air Canada has recommended that customers “regularly review their financial transactions, be aware of any changes to their credit rating, and contact their financial services provider” if they become aware of any unusual activity.