GameStop is investigating a security breach that may have involved the theft of customer data including payment card information from its website. A spokesperson for GameStop told Krebs on Security that they recently received notification from a third party that payment card data used on GameStop.com was being offered for sale online.

Upon receiving the tip, GameStop said it hired a leading security firm to investigate the claims and said it is working non-stop to address the matter and take measures to eliminate any issue that may be identified.

GameStop would not comment on the timeframe of the breach or the type of customer data that may have been compromised. Two sources in the financial industry, however, told Krebs that the gaming retailer’s website was likely infiltrated between mid-September 2016 and early February of this year.

Compromised data is thought to include payment card numbers, expiration dates, names, addresses and card verification values (CVV2), the three-digit security code on the back of cards. Merchants aren’t supposed to store CVV2 values, Krebs notes, but this data can be skimmed by hackers that install malware on e-commerce sites.

The breach only appears to affect GameStop’s online business as there is no evidence that retail stores were impacted. No word yet on how many cards could have been compromised.

If you shopped at GameStop.com between mid-September and this past February, it’d be wise to keep a close eye on your payment card account and notify your bank or credit provider if you spot any suspicious activity.