The athletic-wear company announced in a press release on Thursday that an “unauthorized party” claims to have acquired customer data from its U.S. website. According to a preliminary investigation conducted by outside data security firms and law enforcement, the leaked data is believed to be limited in scope.

“The limited data includes contact information, usernames and encrypted passwords,” the statement said. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Adidas first became aware of the security issue on June 26, but did not say when the breach occurred.

“We are alerting certain consumers who purchased on adidas.com/US about a potential data security incident. At this time this is a few million consumers,” a spokesperson told Bloomberg.

A data breach can threaten not just customers, but also the brand’s image. According to a recent KPMG study, 55% of consumers surveyed globally have decided against purchasing something online due to privacy concerns.

What’s more, their fears do not appear to be baseless. Since 2017, several other major companies have experienced significant data breaches, including Sears, Kmart, Best Buy, Lord & Taylor, Wholefoods, Gamestop, to name a few. Most recently, Delta Air Lines disclosed that a cyber attack on a contractor exposed the payment information of thousands of customers.

“Adidas is committed to the privacy and security of its consumers’ personal data. Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers,” the company said.