The company said customer usernames, passwords and addresses had potentially been accessed by a third party.
The data breach exposed accounts on the company’s old UK website, which was replaced in September 2017.
The company told the BBC it was taking the breach “extremely seriously” and had reported it to the information commissioner.
Cash Converters lets people trade in items such as jewellery and electronics for cash, and then sells the items on to others.
It operates an online store that lets people buy items traded in at Cash Converters shops around the UK.
The online store was re-launched in September 2017, and the data breach affected only people with an account on the old website.
Cash Converters said no credit card information had been breached, and people who visited its stores but did not use the website had not been affected.
“Our customers truly are at the heart of everything we do, and we are disappointed that they may have been affected,” the company said in a statement.
“We apologise for this situation and are taking immediate action to address it.”