The company's chief technology officer Bobby Beaver confirmed in an email to ZDNet that "thousands of accounts" were affected, representing what he called "a small percentage of accounts."
The company sent an email to customers revealing that that hackers in June used brute-force techniques to cycle through account usernames and passwords that were stolen from a breach of another unnamed site.
The online marketplace denied that its systems had been directly breached.
Zazzle said that customers will be prompted to choose a new password when they next visit the site.
"The reset procedure we referenced requires the user reconfirm their email address by sending a security token to that email address," said Beaver. "As such, a malicious actor could not reset the password for the account -- unless they had access to the email account itself, which is not in our control."
Zazzle's login page now features a one-click CAPTCHA box, aimed at slowing down automated login attempts, and the company said it was "currently evaluating additional safeguards" to deter similar attacks.