Basic-Fit has confirmed a major cyberattack that has exposed personal and banking details of millions of users across Europe, including Spain.

The breach, detected on April 8, saw hackers gain unauthorised access to the low-cost gym giant’s user database, compromising sensitive information such as names, dates of birth, contact details and bank data.

While Basic-Fit says it acted quickly to cut off access, the scale of the damage is already significant.

More than 200,000 users have been affected in the Netherlands alone, while across Spain, France and Germany the number exceeds 4.5 million.

The company insists that passwords and identity documents were not accessed, but that will be little comfort to customers now facing the risk of fraud.

Basic-Fit has said it has contacted affected users directly, though concerns are mounting about how widely the data may now be circulating.

The chain, which has expanded rapidly across Spain in recent years, operates more than 150 gyms nationwide and is particularly popular among younger users drawn in by its low-cost model.

It runs dozens of gyms across Andalucia, meaning thousands of local members could potentially be caught up in the breach.

Spain’s Association of Consumers has urged anyone with a Basic-Fit account to keep a close eye on their bank activity in the coming weeks, warning that even small, unfamiliar charges could be the first sign of fraud.

They are also calling on the company to strengthen its data protection systems and ensure such a breach cannot happen again.

For users, the risk doesn’t stop at the initial hack. Cybercriminals often follow up data breaches with phishing attempts, posing as banks or companies to extract further information.

Anyone who has used Basic-Fit is being urged to act immediately by updating passwords, monitoring bank accounts closely and treating any unexpected emails, calls or texts with extreme caution.

If you spot anything suspicious, report it straight away to your bank and the company.