GameStop is looking into claims that a data breach possibly allowed hackers to steal the personal information of online customers, likely including names, addresses, credit card numbers, and both card expiration dates and CVV2 security codes.

Krebs on Security reports that GameStop was notified of the potential intrusion after credit card data previously used on its website showed up for sale online.

Since, GameStop has hired a security firm to look into those claims and notes that the company will “take appropriate measures to eradicate any issue that may be identified” following that investigation.

Sources told Krebs on Security that the retailer’s website was compromised at some point in a five month period spanning between mid-September 2016 and early February 2017, though GameStop declined to comment on both the timeframe or kind of data stolen in the breach.