The IAAF says it has been hacked by the 'Fancy Bears' group and that information on athletes' therapeutic use exemption (TUE) applications has been compromised.
Athletics' world governing body was notified of unauthorised remote access to its network last month but it has admitted it is unaware whether information was stolen from the network.
Athletes who have applied for TUEs, which can be issued to athletes who have an illness or condition that requires the use of medication that is on the World Anti-Doping Agency's prohibited list, were contacted on Monday.
"Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential," said IAAF president Sebastian Coe.
"They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation and work with the world's best organisations to create as safe an environment as we can."
The 'Fancy Bears', a cyber espionage group believed to be from Russia, gained notoriety last year after leaking medical records of several high-profile competitors, information gained from a computer hack on WADA.
British cyclists Sir Bradley Wiggins and Chris Froome, along with American tennis star Serena Williams and gymnast Simone Biles, who won four gold medals at Rio 2016, were among those to have had their details made public.
There is no suggestion of any wrongdoing by any of the athletes.
The IAAF was made aware it had been the victim of a cyber attack by British security company Context Information Security, which was contacted by the governing body to conduct a thorough investigation across its systems.
That led to the finding of a "sophisticated intrusion".
It added in a statement: "We have received the full support of the IAAF during the subsequent Cyber Incident Response engagement and, throughout the investigation, the IAAF have understood the importance and impact of the attack and have provided us comprehensive assistance.
"This has been critical in allowing us to both quickly identify the nature of the intrusion and to provide a full and diligent resolution."