Two financial industry sources told Krebs a credit card processor alerted them that GameStop's website appears to have been compromised between September 2016 and February 2017.
The data potentially accessed includes customer names, addresses, card numbers, expiration dates and CVV2 codes.
"GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website," the company said in a statement. "That day a leading security firm was engaged to investigate these claims."
"GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified," the company added.
Deadline reports that GameStop shares dropped approximately 1 percent Friday afternoon in response to the news.
STEALTHbits Technologies CTO Jonathan Sander told eSecurity Planet by email that the timing of the attack shows how business-minded cyber criminals can be. "Hitting them during the Christmas season -- when tons of distant relatives buying kids they hardly know gift cards for the one thing they know every kid wants -- is pretty savvy timing," he said.
"It also means these are purchases that many will barely recall making, and consumers were exercising the least caution they ever do as they rushed to get all their online shopping done," Sander added.
And Seclore CEO Vishal Gupta said by email that the fact that CVV2 codes appear to have been accessed could make a big difference for the attackers. "There is a reason companies aren't allowed to store this CVV2 data in their own databases, so the fact that the hackers were able to intercept these security codes elevates the severity of the incident significantly," he said.
Cisco's 2017 Annual Cybersecurity Report, based on a survey of almost 3,000 CSOs and security operations leaders in 13 countries, found that more than a third of organizations that were breached in 2016 experienced customer, opportunity and revenue loss of more than 20 percent.
More than 50 percent of organizations faced public scrutiny after a breach, the survey found. Twenty-two percent of breached organizations lost customers, 29 percent lost revenue, and 23 percent lost business opportunities.
Photo courtesy of Shutterstock.