“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website," GameStop said in a statement.
"That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified," the company added.
The issue was first reported on the blog KrebsOnSecurity, written by former Washington Post reporter Brian Krebs.
"Two sources in the financial industry told KrebsOnSecurity that they have received alerts from a credit card processor stating that Gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017," wrote Krebs.
In the meantime, GameStop is apologizing for any worry it's caused its customers.
"We regret any concern this situation may cause...GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported," it said.
GameSpot is following the story and we'll share any further updates we get.