Ms Pang said while all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers.
"So we are advising affected customers to immediately change their passwords on any other sites that may use the same email, secret question and answer, and password combination," she said.
NetSafe executive director Martin Cocker urged Kiwis to notify their bank if their credit cards were stored on the website.
"It will be sensible to change passwords.
"It's hard to know what is taken but it is good to assume they have everything -- credit cards and passwords," he said.
Mr Cocker also advised customers to be "extra vigilant" as hackers could use their personal details and email users similar items they might be interested in buying.
"You may get something that looks extremely legitimate because they [hackers] can access the database," he warned.
Mr Cocker said the leaked information was serious but "one of many".
"It reflects the nature of online systems. They are vulnerable to that kind of thing," he said.
Australian Children's eSafety commissioner Alastair MacGibbon said the theft of data relating to children added "a degree of injustice" to the breach, AAP reported.
"Why are we collecting this information to start with? If you don't collect it, you can't lose it," Mr MacGibbon said.
The hacker, reportedly speaking with Motherboard, said he had no plans to use the data, AAP reported.
"Frankly, it makes me sick that I was able to get all this stuff," the hacker said.
