says four months of customer credit cards stolen by hackers, a large online custom mug and apparel store, had a four-month-long data breach just before the busy Christmas holiday season.

The company said in a letter to state attorneys general that hackers siphoned off credit card numbers from customers who made orders through its site between August 5 and November 16, 2018 using code injected on the company’s payments page.

The malicious card skimming code was removed from the site after it was discovered.

According to the letter, the hackers stole credit card numbers, the security code and expiration date, as well as names, addresses, phone numbers, email addresses and ZIP codes — everything that someone might need to make fraudulent payments.

But the company didn’t say how many people were affected by the breach. It’s believed to be thousands of customers who made purchases through the site during the four-month period.

TechCrunch reached out to Sai Koppaka, chief executive of parent company Bel USA, who did not respond to a request for comment, nor did the company’s spokesperson. Emails sent to Comvest, a private equity firm and an investor in Bel USA, also went unreturned. might not be a household name, but it ranks in the top 10,000 sites in the U.S., according to Alexa, bringing in thousands of customers every day.

The company becomes the latest in a line of websites affected by credit card skimming code. The so-called Magecart group of hackers have targeted thousands of sites in the past few years, scraping credit card data when a customer enters their information at the checkout and silently sending it on to the hackers’ servers.

Other big-name companies were hit, including British Airways, Newegg and Ticketmaster.