Last Saturday, Ticketmaster UK found malicious software on a customer support product that had accessed a small percentage of customers’ data. Ticketmaster says it contacted the customers who were affected, which were “less than 5 percent of our global customer base.”

The software was found on a customer service product supplied by an external company called Inbenta Technologies. Ticketmaster found that the software caused an unknown third party to receive customer data, including names, mailing addresses, email addresses, phone numbers, payment details, and Ticketmaster logins. It then disabled the Inbenta product on all its websites, including Ticketmaster International, Getmein!, and TicketWeb.

The data breach affected some international customers (but none in North America) who bought or tried to buy tickets between September 2017 and June 23rd. It also affected UK customers who bought tickets between February and June 23rd.

Affected customers should reset their passwords. Ticketmaster is offering a free 12-month service that will monitor instances of identity theft for those customers.

Ticketmaster says on its security page: “If you have not received an email, we do not believe you have been affected by this security incident based on our investigations.” It’s currently investigating how the breach occurred with forensics and security experts, and working with credit card companies, banks, and the local authorities.

Inbenta’s CEO Jordi Torras said in a statement to The Verge: “We can confirm with 100 percent certainty that no data was taken from our servers and no other customers other than Ticketmaster were affected. The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

Update June 28th, 1:11 PM ET: This article has been updated with a statement from Inbenta Technologies.