The hackers also managed to steal some credit- and debit-card information relating to 100 unlucky consumers who had purchased vouchers online.
The pub chain said the information had not been encrypted, because it stored only the last four digits of the cards in its database. Hackers did not access the customer names or expiry dates associated with the cards.
According to a statement from JD Wetherspoon chief executive John Hutson, the hackers targeted a database associated with the company's old website. Hutson said this site had since been replaced, and is managed by a "new digital partner".
Hutson said: "We have taken all necessary measures to secure our website following this attack. A forensic investigation into the breach is continuing."
The breach took place in mid-June, but was not discovered until this week.
Hackers were unable to access passwords, but the database also included full names, date of birth, email addresses and phone numbers.
According to the Financial Times, which uncovered the hack, this information is already up for sale in private forums.
No way for customers to check
Customers who signed up to the company newsletter, may have registered their details when using Wetherspoon's WiFi, used the site's contact form or bought pub vouchers online may be affected. However, there appears to be no way for individuals to confirm whether their data has been accessed.
Hutson warned all customers to be vigilant against potential email phishing attacks. He added that the chain "cannot be certain" customer details hadn't been used for fraud.
This is the second major cyber attack on a UK company in recent months. The TalkTalk breach, one of the biggest on a British firm, was revealed in October. The hack cost the brand £35m and considerable loss of face after chief executive Dido Harding was slammed for her apparent technical ignorance. The brand said 157,000 customers had been affected by the breach.