The email addresses, usernames and passwords were taken from the Joint Commission On Public Ethics legacy system, which was used for financial disclosures prior to 2015.
When the theft was discovered, all passwords to the current financial disclosures system were reset, the letter said.
"Nevertheless, we understand that it is common practice for individuals to use the same password across multiple websites and applications," the letter said. "As a result, we urge you to immediately change your password on any other sites on which this password may have been reused and to always utilize complex passwords that do not repeat across different platforms."
The letters were signed by commission Executive Director Sanford Berland, who offered an apology for the inconvenience and said the agency is taking steps to reduce the chance of another "security incident."
The spokesman for former Gov. Andrew Cuomo was among those who received the letter. On Twitter, he immediately criticized the commission, which he called JJOKE instead of JCOPE.
"So either JJOKE dragged their heels for 3 months & decided to dump informing people that their info was hacked via snail mail on a holiday weekend," spokesman Rich Azzopardi tweeted, "or there was ANOTHER more recent attack that wasn't disclosed. Which is it?"
In the February attack, a web server containing the state's filing systems for lobbying and financial disclosures had to be taken off line. At the time, officials said they didn't yet know if user information was accessed.
The commission said in a statement that the letter referred to the February attack.
©2022 the Times Union, Distributed by Tribune Content Agency, LLC.