The folks at computing giant Oracle have alerted users of its hugely popular point-of-sale payment system that cybercriminals managed to breach the company’s customer support computers and insert malicious code, potentially affecting hundreds of thousands of retail locations around the world.

“Oracle Security has detected and addressed malicious code in certain legacy MICROS systems,” reads a letter sent by the company to customers of its MICROS point-of-sale system.

Oracle acquired MICROS in 2014 for around $5 billion. At the time, the companies bragged that MICROS systems were found in some 330,000 payment terminals in 180 countries. Among the huge names in retail, foodservice, and hospitality were Hilton, Marriott, Hyatt, Carnival, SONIC, Ruby Tuesday, Starbucks, IKEA, BJ’s, and Ulta:

As usual, Brian Krebs was the first to report on this breach, noting that the apparent source of the attack is a Russian organization that has previously stolen more than $1 billion from banks and retailers.

“The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems,” writes Krebs, who says he first heard of a problem in late July. “Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.”

A letter sent by Oracle to customers — and seen by Consumerist — instructs MICROS customers to change their passwords on all MICROS accounts. Of more interest is the directive to also change any password that was previously used by any MICROS staffers who accessed the service on site.

This meshes with Krebs’ report that the breach affected the MICROS customer support portal. Among those infected was an Oracle customer “ticketing portal” that helps MICROS customers remotely troubleshoot problems with their point-of-sale systems.

According to Krebs, the malicious code on these support computers appears to have been sending back information to a server known to be connected to one particular Russian criminal organization.

In the Oracle letter, the company stresses that it’s “Corporate network and Oracle’s other cloud and service offerings were not impacted by this code.” Likewise, Oracle maintains that “Payment card data is encrypted both at rest and in transit in the MICROS hosted environment.”

This statement, along with the requirement of resetting on-site support passwords used by MICROS staffers, seems to indicate to Krebs that the point of concern may be at the point-of-sale terminals.

Security analyst Avivah Litan tells Krebs that the Oracle attack could explain how “some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider.”