A firm selling retro football team shirts and merchandise has apologised to customers after a cyber-security attack accessed their data.
Classic Football Shirts said customers' details had been accessed through one of its third party providers' systems.
Some customers complained of receiving emails offering cashback on their previous orders.
The firm is now telling customers not to follow the link if they have received the cashback phishing email.
Classic Football Shirts said it became aware of the cashback emails at 20:30 on Thursday night - half an hour after they were sent.
The firm believes password data and payment information has not been compromised.
But in a Twitter post, the company urged customers to be "vigilant" and contact their bank to cancel their cards if they supplied their card information on the link from the cashback form.
The clothes business said payment information was "never stored on their system" and apologised for the "inconvenience caused".
But many customers commented with concern that scammers were able to access their names, addresses, email addresses and order history.
Something has definitely been leaked as the phishing email had a correct order number of mine. I got caught out by this and am not very impressed both with myself for being fooled and the whole situation— Graham Lewis (@lfc4life76uk) July 9, 2021
Some customers commented that they became aware it was a phishing email after noticing an extra "s" in the email address:@classicsfootballshirts.co.uk
Others, after placing an order had noticed that the email offering cashback was from email@example.com rather than classicfootballshirts.co.uk.
One customer, Fernando Paredes, told the BBC he saw that $700 (£504) was taken from his account. He cancelled the credit card and his bank is investigating the transaction.
Mr Paredes bought a football shirt from the online store on 14 March to be shipped to his address in Peru. He says received the phishing email and did not notice the extra "s".
"The company did well making a statement about the breach," he adds, but says he is still "concerned about the third party provider's systems".
Customers also commented that it was "unprofessional" and that they were "worried" that their information was not properly protected.
I only noticed the email this morning. The order number was this year. I did click the link but it did not redirect me. Hence no details were entered. Phew! A huge security breach though 🤔— Vincetelo Ragazzi 🇮🇹 (@EddyGrady) July 9, 2021
Classic Football Shirts did not immediately respond to the BBC with an estimate of how many customers had been affected.
The Manchester-based firm was started in 2006 by two students. Its website says it has the world's largest collection of football shirts, with a product range of 30,000 individual items and more than 500,000 units available in stock.