Add a new certainty to the old pair of “death and taxes”: data breaches. GameStop may be the latest retailer to face this inevitability, with a new report indicating that customer data has been stolen from its website.

The news comes from security expert Brian Krebs at KrebsOnSecurity, who reports today that two different sources in the financial industry have told him something is up.

The sources say that credit card processors are indicating that GameStop.com appears to have been compromised by intruders between Sept., 2016 and Feb, 2017.

The data stolen is “thought to include” customer names and addresses, along with card numbers, expiration dates, and the 3-digit security code on the back. In other words, everything you’d need to use someone’s card illicitly.

As Krebs points out, merchants aren’t supposed to store those codes, but hackers can put malicious software onto websites that basically skims and records the numbers at the moment before it’s encrypted and transmitted — no storage necessary.

GameStop confirmed to Krebs that it was investigating whether or not its website had been subject to a breach, saying, “GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website.”

GameStop has hired a security firm to investigate and will “take appropriate measures to eradicate any issue that may be identified,” a company spokesperson also told Krebs.

In the meantime, GameStop offers the same advice we always do: Keep a regular eye on all your credit card statements, and contact your card issuer immediately if a charge pops up that you didn’t put there.