Up until last week, 2018 had been comparatively quiet when it came to massive data breaches, then Under Armour revealed that 150 million users of its MyFitnessPal app had their personal info compromised. Now, department store chains Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor have confirmed that 5 million of its customer credit and debit card details were stolen, and they’re being sold on the Dark Web.

The retail brands’ Canada-based parent company, Hudson’s Bay, yesterday announced the breach and said it was taking steps to contain the attack. The incident was discovered by cybersecurity firm Gemini Advisory, who wrote that a group of Russian-speaking hackers known as Fin7 or JokerStash listed 125,000 of the stolen accounts for sale on the Dark Web, with the rest expected to arrive in the coming months.

Most of the card details come from stores in New York and New Jersey, though Engadget notes that three Canadian stores in Toronto, Brampton, and Pickering may have also been hit.

Gemini believes the initial siphoning of the data started in May 2017 and could still be taking place today. Hudson’s Bay revealed few official details about the breach, such as when it began and if it’s been contained.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the company said, in a statement.

We still don’t know how the malware was installed in the stores’ checkout systems, though Gemini thinks the hackers used phishing attacks that targeted company employees, thereby giving the attackers a backdoor into the systems.

The news follows a 2017 Buzzfeed investigation that revealed many of Saks Fifth Avenue’s customer records (not payment details) were stored in plain text on publicly accessible servers.