Cash registers at 1,200 Kmart stores were infected with malware that scooped up payment card numbers for over a month, reports the retailer.
In a statement, Kmart said the security breach was discovered on 9 October and that the malware had been operating since early September.
An initial investigation suggests the cyber-thieves stole credit and debit card numbers.
So far, it is not clear how many cards and customers have been affected.
In its statement, Kmart said no personal information, pin codes, email addresses or social security numbers were taken with the card numbers.
The malware has now been removed and the breach contained, it said, but it was continuing its investigation to gauge its full impact.
It added that there was no evidence that any of the card numbers stolen were being used to create counterfeit cards and land victims with bills for items they did not buy.
Despite this, Kmart said it would be offering free credit monitoring protection for customers to ensure any fraudulent use of their cards did not affect their credit score.
The US Secret Service, which leads investigations into financial fraud, is known to be investigating the case.
"I sincerely apologise for any inconvenience this may cause our members and customers," said Alasdair James, president of Kmart, in the statement.
News about the Kmart breach comes soon after the Dairy Queen restaurant chain revealed that some of its outlets across 46 US states were hit by hackers. Malware was used to steal names, card numbers and expiration dates of payment cards at 395 restaurants.
Many large US stores have been hit by attackers that target till systems in recent months. The largest attack was against Target in which thieves stole details of 40 million payment cards.
Shawn Henry, a former FBI officer, who is now head of security firm CrowdStrike Services, said retailers needed to do a better job of detecting breaches quickly before large numbers of payment data was stolen.
The computer networks of retailers were so large that attackers were more than likely to find a way in, he told Reuters.
"This is going to continue indefinitely until people change their practices," said Mr Henry.