Bank account information and users’ passwords are among details feared stolen by hackers in a security breach at a service used to raise donations from millions of people.
Many UK universities and charities, as well as hundreds of other organisations worldwide, use the software involved.
Its developer Blackbaud made the admission in a regulatory filing.
The firm previously said the theft had been limited to other personal data – but not payment details.
It added it was contacting affected clients. They, in turn, will need to send follow-up alerts to at least some of the donors they had already contacted about the incident.
“We have informed the small subset of Blackbaud customers who were part of this development,” the company told the BBC.
“We apologise that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cyber-crime incident.”
The BBC has learned that some of the organisations believed to have been impacted by the latest development include:
“We are aware that some financial data may have been accessed as a result of the data breach and are working with Blackbaud to determine if this affects us,” said a spokesman for the National Trust.
Millions of people worldwide have been warned they could have been affected in the original alerts sent out about the attack over recent months.
A spokeswoman for the Information Commissioner’s Office said: “Our investigation is ongoing and we will be making further enquiries regarding the latest developments.”
The ICO said it knew of 166 UK organisations that had been affected by the security breach.
They include dozens of universities as well as health-related charities, schools and trusts set up to care for historic buildings.
International clients who were affected also included hospitals, human rights organisations, non-profit radio stations and food banks.