Marks & Spencer has confirmed that hackers gained access to customer data during a cyberattack in April. While the breach didn’t expose full payment details or account passwords, the retailer is urging customers to reset their passwords and stay alert.

In a message to users, M&S said the stolen data may “include contact details – such as name, email address, addresses, telephone number, date of birth, online order history, household information and ‘masked’ payment card details used for online purchases.” Though payment card data was encrypted, customers are advised to watch for suspicious messages pretending to be from M&S.

Operations director Jayne Wall assured that full card information wasn’t stored on M&S systems: “The data does not include useable card or payment details, and it also does not include any account passwords.” Still, the company is offering online safety tips and additional support through its help center.

Cybersecurity expert Matt Hull cautioned that even without full financial data, the personal details stolen in this breach could still be misused by criminals.

M&S says its priority is protecting customer trust as investigations continue, though it advises that “you do not need to take any action and, to give you extra peace of mind, next time you visit or login to your M&S.com account on our website or app, you will also be prompted to reset your password.”