David P. Willis

Asbury Park Press

Hackers may have made off with millions of credit card and debit card accounts used at Sonic Drive-In locations, according to a security blog.

In a posting Tuesday, Krebs on Security said Sonic Drive-In, a fast-food chain with 3,600 restaurants in 45 states, has acknowledged a breach affecting an unknown number of Sonic cash registers, known today as point-of-sale terminals.

About 5 million credit card numbers were recently put up for sale on a shadowy underground online network, Krebs wrote. The card has recently been used at Sonic locations.

Unknown at this point is whether the breach affected only a small portion of Sonic Drive-In sites or the entire chain.

The company's credit card processor informed Sonic last week of "unusual activity regarding credit cards used at Sonic," said Christi Woodworth, a Sonic spokeswoman.

"We are working to understand the nature and scope of this issue, as we know how important this is to our guests," a statement by the company said. "We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able."

These types of breaches typically involve hackers surreptitiously accessing a company's point-of-sale system (cash registers) and planting malware that copies information from each credit card swiped by customers. The malware then sends the credit card information to the hackers, who sell it on underground forums such as the one where Krebs found the Sonic card info for sale.

This is what happened in the Home Depot breach of 2014 and the Target breach of 2013.

Why our credit cards keep getting hacked

Thieves buy the credit card data and use it to create copies of the cards which are then used to buy high-priced merchandise for resale or return.

A Sonic spokeswoman told Krebs the investigation is still in its early stages. The company does not know how many or which of its stores may be impacted, the company told the blog.

Contributing: Elizabeth Weise at USA TODAY