An internal investigation by Chick-fil-A has pinpointed the source of a security breach in its mobile app that the Atlanta-based restaurant chain said was limited to a small percentage of its customers.

Chick-fil-A said in a California regulatory notice that a coordinated and automated attack against its website and its popular Chick-fil-A One app was the source of the breach.

“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source,” the notice said.

The notice to California authorities was first reported Thursday by technology website Bleeping Computer.

Chick-fil-A released a statement Friday saying that fewer than 2% of Chick-fil-A One app users were affected by the data breach, which the company first disclosed in early January. The company did not disclose a specific number of affected customers. The app and its associated accounts link customers’ bank accounts, gift card uploads and other personal information.

Chick-fil-A, which operates roughly 2,700 locations in the United States, previously said the suspected fraudulent activity was not due to a compromise of Chick-fil-A’s internal systems.

“We never want our customers to experience something like this and have communicated directly with those impacted to resolve these issues, while taking necessary efforts to protect our systems and our customers for the future,” the company’s statement said.

Chick-fil-A required affected users to reset passwords, remove stored financial information and temporarily freeze funds loaded onto the app, according to the California Attorney General’s Office notice. The company said customers’ account balances were restored in addition to “added rewards” for customer loyalty.

Chick-fil-A urged customers to contact the company online at chick-fil-a.com/customer-service/contact or call 1-866-232-2040 to report suspicious account activity.