An Australian daily deals website company, Catch of the Day, alerted its users on Friday of a data breach that impacted one of its websites in 2011.

Data compromised in the attack on included account information such as passwords and credit card numbers of an undisclosed number of users who created accounts prior to May 7, 2011, according to a notice obtained by ZDNet.

While at the time the company “immediately informed police, banks and credit card companies” which resulted in an investigation and cancelled credit cards, it did not indicate why it waited three years to disclose the incident to users.  

Users with accounts created prior to that date have been advised to change their passwords by the company, which also informed the Australian Privacy Commissioner of the incident.