French computer storage specialist LaCie has said credit card details and passwords of shoppers who used its site may have been stolen.
The hard-disk maker said the FBI had alerted it to "indications" of a hacker having used malware to copy details entered into its online store.
It added that the suspected breach was thought to have lasted from 27 March 2013 to 10 March this year.
Experts said it was unusual for such a problem to go unnoticed for so long.
"It is a major breach," Ron Austin, senior lecturer in computer security at Birmingham City University, told the BBC.
"LaCie is a fairly big company and you would question their information security policies.
"No expert can guarantee 100% security, but it goes back to compliance and ensuring that if you're offering services out on to the web that you are carrying out regular checks."
LaCie was taken over by US tech company Seagate in 2012, but still sells goods using its name.
The attack, if confirmed, could be particularly damaging for LaCie as the brand has security products among its wares.
Independent tech consultant Graham Cluley said the company had been left with "egg on its face".
"In an ideal world, attacks get prevented in the first place and you have done enough work to secure your website and maybe hired some penetration testers to see if there are vulnerabilities," he said.
"If you can't prevent it in the first place, hopefully you can pick it up while it's occurring and deflect it.
"Clearly LaCie did fail in some way. They should have spotted something was happening."
A statement on LaCie's website said that shoppers should check their bills for fraudulent charges and that they would need to change their logins when its store reopened.
"The information that may have been accessed by the unauthorised person may include customers' names, addresses, email addresses, and payment card numbers and card expiration dates," it said.
"Customers' LaCie website user names and passwords could also have been accessed, which is why we required a reset of all passwords."
The statement said that LaCie was alerted to the problem by the FBI on 19 March.
However, security blogger Brian Krebs had warned the company earlier that month that its site might have had credit card data stolen by a criminal gang exploiting vulnerabilities in Adobe's ColdFusion web application development software.
On 17 March Mr Krebs reported that LaCie had told him that its preliminary investigation had found no indication that customer data had been compromised.
But in a follow-up article, Mr Krebs said that LaCie had now acknowledged there were "indications" that someone had used malware that exploited the flaws in Adobe's code.
Mr Krebs added that other companies that had fallen victim to related attacks included the US credit card processor SecurePay and the jam-maker Smuckers.
For its part, Adobe has urged owners of its software to make sure they are using the latest release.
"We have no information regarding this incident outside of published reports," said a spokeswoman.
"However, the majority of attacks we see are exploiting software not up-to-date on the latest security updates.
"Adobe therefore strongly recommends that users install the latest security updates as the best possible defence against those with malicious intent."