GameStop.com may have been compromised by hackers, putting credit card info and customer data at risk, the company has confirmed. It has engaged the services of a security firm to help in the investigation.

"GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” a company spokesman told Krebs on Security. “That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified."

Two sources in the industry told Krebs about alerts pinpointing the data breach between mid-September 2016 and the first week of February 2017. GameStop offered no comment on the timeframe.

What makes the leak even worse is that in addition to basic credit card info, it is highly likely that the three-digit CCV codes on the back of cards was also captured. While most retailers don't store that info, hackers can use malicious software to grab and save the info before it is encrypted and processed.

“We regret any concern this situation may cause for our customers,” GameStop said. “GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported.”