"GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website," a company spokesperson wrote in an email to Fortune.
"That day a leading security firm was engaged to investigate these claims," the statement continued. "GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified."
The breached data could include customer card numbers, expiration dates, names, addresses, and the three-digit card verification values (CVV2) typically found on the back of credit cards, according to sources who spoke to cybersecurity website Krebs on Security.
Krebs on Security reports that they had received alerts from a credit card processor saying that GameStop's website was potentially comprised between September 2016 and February 2017. There is no indication that GameStop's retail locations were affected, according to Krebs.
"We regret any concern this situation may cause for our customers," the company added in its statement. "GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported."