It’s been a while since we saw a large data breach—as Facebook rightly noted, the Cambridge Analytica incident doesn’t fall under this definition—but Under Armour has just announced it suffered the biggest hack of the year so far. The Baltimore-based company yesterday said that 150 million users of its MyFitnessPal app and website had their accounts compromised in February.

According to SecurityScorecard (via Reuters), the size of the hack makes it one of the top five to date. Information exposed during the beach included user names, email addresses, and passwords encrypted with the bcrypt hashing algorithm. The app does not collect government-issued data such as social security details and driver’s license numbers. Credit card information, which is collected and processed separately, was also unaffected.

The incident took place in late February, but Under Armour did not learn of it until March 25. The company has said it will require MyFitnessPal users change their passwords and recommended they do so as soon as possible. Users should also change their passwords on any sites that use the same login credentials.

As is often the case following data breaches, Under Armour said it is improving its security systems to prevent similar hacks from taking place in the future. “We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” added the company.

Under Armour has come under fire from customers for allowing the breach to take place, and many aren’t happy it waited four days before informing them that their data had been compromised.