America's biggest bookstore chain has warned customers their card and Pin numbers may have been stolen after hackers attached bugs to card readers in stores.
Hackers planted bugs in a single card reader at 63 different stores, which then picked up data from credit card swipes and debit card Pins.
The bookseller said less than 1% of its payment devices were attacked by the hackers, however it has since disconnected Pin keyboards in nearly 700 stores.
Barnes & Noble, which is valued at nearly $900m (£560m), described the hack attack as a "sophisticated criminal effort" and warned customers to check for unauthorised transactions on their accounts.
The company said it fully implemented a security response on September 14 and deactivated the Pin keyboards. It added that details of online customers and Nook e-readers were not breached.
"Barnes & Noble is continuing to assist federal law enforcement authorities in this matter," the firm said.
"In addition, the company is working with banks, payment card brands and issuers to identify accounts that may have been compromised, so banks and issuers can employ enhanced fraud security measures on potentially impacted accounts."
Customers must now ask shop assistants to swipe their credit or debit cards on readers affixed to cash registers.
Barnes & Noble, which pioneered huge stores and promotes itself as "the internet's largest bookstore", is the latest major retailer to fall victim to a sophisticated data breach.
Last year, Sony (Other OTC: SNEJF.PK - news) saw 77 million customer details hacked from its Playstation system in a breach that may cost it up to $50m (£31m) in new security, customer compensation and lost revenue.
Earlier this year, online dating site eHarmony lost 1.5 million member passwords while networking site LinkedIn lost 6.5 million user passwords.