Retailer Kiddicare saw some of its customer details accessed by hackers, who then used the stolen data to carry out a phishing attack.
The information comprised names, delivery addresses, telephone numbers and email addresses, but no credit or debit card information.
An unnamed security company alerted Kiddicare that some of its data might have been compromised, which matched that used on a test site in November 2015. Kiddicare took this site down.
The company said that a preliminary review revealed that there was no evidence of a breach of its systems or databases.
The information seems to have been used in a phishing attack, in which customers were sent text messages claiming to be from a subsidiary website of Kiddicare which invited them to take part in an online survey.
Kiddicare said that it had identified the cause of the attack and had put increased security in place. It added that while passwords were protected by strong encryption and there was no indication that passwords had been accessed, it had reset all passwords.
Payment information was not exposed as Kiddicare said it does not store or process this information. In addition, no information regarding age, disability or ethnicity was exposed in the hack.
"Our brand has been built on a 40-year foundation of trust with our customers, and we have therefore taken the step of contacting customers who may have been affected," the company said in a statement. "We want to assure you that the cause of this issue has been addressed and you can continue to shop with confidence at Kiddicare."