Video game retailer GameStop is looking into reports that its website, gamestop.com, may have been breached and that customer credit-card information may have been stolen. Independent security reporter Brian Krebs first reported the story on his website KrebsOnSecurity.
“GameStop recently received notification from a third party that it believed payment-card data from cards used on the GameStop.com website was being offered for sale on a website,” a GameStop representative told Krebs. The company representative went on to say that the company had hired a security firm to investigate.
According to Krebs' sources, gamestop.com was compromised sometime between the middle of September 2016 and early February 2017. The stolen data may include credit-card numbers, card expiration dates, names, addresses and 3-gigit CVV security codes.
MORE: What to Do After a Data Breach: A Step-by-Step Guide
If you made a purchase on GameStop's website in that timeframe (or even think that you may have), you should check your last few months worth of credit-card statements, and inspect your most recent activity either online or on the phone. Additionally, you should put a free 90-day credit alert on file with a credit reporting agency: Experian, TransUnion or Equifax. For a full rundown of what to do in a data breach, click here.
GameStop has been fighting an uphill battle as the video-game industry goes increasingly digital, which means fewer gamers need brick-and-mortar stores, and even fewer trade in their old games (GameStop's bread-and-butter is selling used games to new consumers). The company bought ThinkGeek in 2015 to start selling pop-culture merchandise, and also sells phone plans through Cricket Wireless, in an attempt to diversify its offerings.