LaCie, the French computer storage company acquired by SeaGate in 2012, has revealed that its customers may have had their details stolen in an attack that lasted a whole year.
The FBI alerted the company to indications that a hacker had used malware to copy credit card details and passwords from its online store. The breach supposedly happened between 27 March 2013 and 10 March 2014.
"It is a major breach," Ron Austin, senior lecturer in computer security at Birmingham City University, told the BBC. "LaCie is a fairly big company and you would question their information security policies."
The attack, if confirmed, would be particularly embarrassing for LaCie, who also manufacturer security encryption software.
Failing to prevent an attack of this kind, and it going unnoticed for a whole year, would leave the company with "egg on its face" according to tech consultant Graham Cluley.
A statement on the company's website has warned shoppers to check their bills for any charges that could seem fraudulent and to change their logins and passwords on their next visit to the store.
"The information that may have been accessed by the unauthorised person may include customers' names, addresses, email addresses, and payment card numbers and card expiration dates," it said.
Blogger Brian Krebs wrote that he had warned LaCie that its site was vulnerable to an exploit in Adobe's ColdFusion web app a few days before they were alerted by the FBI on 19 March. He was told that the firm had found no indication that it had been compromised.