Chick-Fil-A has confirmed that their rewards system was attacked by a 3rd party, over the course of more than two months, stealing customers’ sensitive information.

The disclosure came in a security notice filed on the California Attorney General’s website, affects Chick-fil-A customers across the country, including in Louisiana and Texas.

The attack, using log-ins obtained from a third party to access member reward site Chick-fil-A One, was carried out between Dec. 18, 2022 and Feb. 12, 2023, the chain said.

Officials from Chick-fil-A say that the information that was stolen “may have included your name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any). In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address.” Officials from Chick-fil-A noted that “Importantly, unauthorized parties would only have been able to view the last four digits of your payment card number.”

It’s not clear how many users and rewards members total were affected, but, it’s believed to be around 2% of Chick-fil-A mobile app users. Chick-fil-A is urging customers to review their account statements and credit reports for any suspicious activity. Anyone with further questions can call (833) 753-4428 from Monday through Friday between 9 a.m. and 9 p.m. ET.