The cyber-thieves went straight to the heart of one of the biggest and most respected credit and debit card processing companies in the country, Heartland Payment Systems of Princeton, N.J.
"It could be the largest breach ever," said cyber law attorney Andrew DeVore. "It would dwarf the largest prior breach."
Sources tell CBS News that hackers cracked Heartland's computers as far back as May of last year. But it wasn't until last week, after being alerted to suspicious activity by Visa and MasterCard, that the company uncovered malicious software in its system.
Heartland, which acts as a middle man between retailers and banks, processes 100 million transactions per month at an estimated 200,000 merchants nationwide - mainly gas stations, bars and restaurants.
The company says about it has alerted about 150,000 of them, but CBS News found several that didn't learn about the breach until we told them.
"I'm disappointed from that point of view that they wouldn't be up front and proactive. Because customers trust us to protect their records and they are the keeper of the record,'' said bar owner Peter O'Connell.
Now there are concerns the public company has downplayed the danger to untold millions of consumers.
"I think the release of information was a bit manipulative in the timing," said security analyst Avivah Litan of Gartner Group. "It was released on inauguration day, but the incident was known about for days before that."
The president of Heartland originally agreed to an interview with CBS News before canceling. We wanted to ask why the company's inauguration day in which it didn't even mention that millions of credit card numbers and expiration dates - the only information needed for fraud - were stolen.
Only today did Heartland say it doesn't know how many card numbers were compromised. It's only advice was for consumers to check their own statements to make sure they're not the latest victims of financial fraud.