In late December, the popular Northeast convenience store chain Wawa disclosed hackers had obtained payment data for some of its customers. Now, the scope and the fallout from the hack is becoming apparent, as criminals this week reportedly began to sell millions of credit and debit card accounts on the Internet.
According to Gemini Advisory, a firm that researches cybercrime, a well known hacker known as Joker Stash posted the data for sale on Monday evening on the so-called dark web—an anonymous layer of the Internet popular with criminals.
In a screenshot given to Fortune by Gemini Advisory, the criminal boasts of possessing more than 30 million card numbers from more than 40 different states stemming from a “nationwide breach.” The screenshot, shown below, does not name Wawa but Gemini is confident the company is the source of the breach:
Philadelphia-based Wawa, which has over 850 stores, issued a statement on Tuesday acknowledging the post on the dark web.
“Today, we became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident … We continue to work closely with federal law enforcement in connection with their ongoing investigation,” said the statement, which also noted Wawa is working with partners to monitor for fraud.
In a letter disclosing the breach in December, Wawa CEO Chris Gheysens stated the company was not aware of any unauthorized use of the card information, and that customers would not be responsible for unauthorized charges. Hackers obtained the data by infecting Wawa’s payment system with malware.
According to Andrei Barysevich of Gemini Advisory, which published its own account of the hack, the alleged sale of the Wawa data by Joker Stash fits a familiar pattern used by multiple hackers. The pattern involves selling the data in small batches to other criminals, who will then seek to use the credit card information for fraudulent purposes.
The median price for such data is $17 per card, says Barysevich. In the case of Wawa, he says, the likely buyers will be criminal gangs in the Northeast, since overseas banks are likely to identify many of North American cards as suspicious and block criminals from spending them.
According to Wawa, the hackers did not obtain the security codes on the cards, which will make it difficult for criminals to use them online or at stores with chip readers. As such, Barysevich says, gangs will likely use the stolen data to print new cards, and to seek out merchants that still accept swipe-based credit card payments.
If hackers indeed stole more than 30 million accounts from Wawa, the breach would rank among the country’s biggest, after similar hacks that befell the likes of Target and Hilton Hotels.
This article was updated at 4:20pm ET to include Wawa’s response.
More must-read stories from Fortune:
—The long ocean voyage that helped find the flaws in GPS
—Atari-themed hotel deal punctuates the gaming pioneer’s turnaround
—Into the ‘crucible’: How the government responds when GPS goes down
—This tech giant says A.I. has already helped it save $1 billion
—What is tech doing to protect the whistleblower’s identity? Not much
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
