BrickLink, an online Lego parts marketplace owned by Lego, is back online after several days of downtime due to a cybersecurity incident that apparently targeted some merchant accounts. The company said it received a “threat and ransom demand” last Friday, presumably in regard to company or user data, leading it to shut down the site “out of an abundance of caution.”

The site has been detecting “limited suspicious activity” since mid-October, where unauthorized sellers fraudulently attempted to collect money through unrealistically discounted listings.

BrickLink says a “relatively small” amount of accounts may have been compromised but does not see any evidence that its systems were breached. It says “credential stuffing” occurred, where bad actors input compromised passwords from other sources to try to break into owners’ accounts on different sites.

Lego reviewer and blogger Jay Ong, who writes for Jay’s Brick Blog, posted that they received a message from BrickLink that all users must change their passwords. Ong says they were assured their BrickLink account was not compromised. Notably, BrickLink does not yet offer two-factor authentication, although it plans to in the future.

Correction November 8th, 8:43PM ET: BrickLink is owned by Lego; we previously called it an unofficial marketplace. We regret the error.