Vision Direct is warning customers that a hack attack has exposed their personal data including payment card numbers, expiry dates and CVV codes.
It said anyone who entered their details into its site between 3 and 8 November could be affected.
The firm describes itself as Europe’s biggest online seller of contact lenses and eye care products.
Several experts have said a fake Google Analytics script placed within the site’s code was the apparent cause.
“Being able to provide the CVV number usually indicates that you have the card in your hand when making a purchase,” commented cyber-security researcher Scott Helme.
“Now the attackers have the full card details including the CVV number, these checks carry less value.”
A statement on Vision Direct’s site says that anyone who updated their details during the stated period, or had an order or update submitted on their behalf by its customer services team, should contact their banks and/or credit card providers.
“The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV,” said a notice on its site.
“We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise.”
Vision Direct’s site had previously said that all card payments made to its service were “totally secure” and that it had never once heard of a case of them being misused.
It added that customers who had used PayPal during the period might have had their names and addresses accessed, but said their payment details should still be secure.
Vision Direct was acquired by the French firm Essilor International two years ago.
A spokeswoman for the company said she would pass on the BBC’s request for more information, including an estimate of how many people had been affected.
In the meantime, its Twitter account has been telling customers that “compensation will be considered on a individual basis should there be any material loss incurred”.
The Information Commissioner’s Office told the BBC it had yet to be formally notified of the incident.
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms,” said a spokeswoman.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
It is not clear how a fake script could have been placed on the firm’s site – and Vision Direct has yet to confirm the detail – but Mr Helme said such attacks were preventable.
“Historically we may have seen card skimmers installed on an ATM but now we’re seeing these attackers install them on websites instead,” he said.
“Depending on the exact details, there are technologies that sites can deploy to protect themselves in a variety of ways.”