The arts and crafts supply chain Michaels Stores Inc. today revealed the potential scope of a data breach it first reported back in January, and it is a doozy. According to reports, as many as 3 million credit and debit card numbers may have been stolen from the chain, and its subsidiary, Aaron Brothers.

According to the site KrebsonSecurity.com, the card numbers were taken over the course of two separate data breaches last year that ran for as much as eight months. Apparently the breaches were accomplished via a type of malware that two different security companies Michaels hired had never seen and were initially unable to find, the site said. The company said it has since corrected the problem and closed the breach.

In a FAQ blog on the Michaels website there is a link to a PDF listing every store that was affected, and they are all across the United States.

If you shopped at a Michaels in 2013 using a credit or debit card, and haven’t replaced that card and/or changed all associated PINs and passwords, now might be a good time to rethink that.