Builders' merchant Jewson has taken its store offline and warned customers that their data may have been stolen by hackers.
Up to two thousand customers who used the Jewson Direct online store between 23 August and 3 November could have been affected.
Jewson confessed to the data breach in a letter sent to customers on Friday and published by online technology news publication The Register.
"As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised."
The company warned customers that a whole range of information may have been stolen during the breach.
Names, location, billing address, password, email, phone number, payment details, card expiry dates and CVV numbers "may" have fallen into the hands of an "unauthorised person", according to the report.
"At this stage we are aware that a foreign piece of code was encrypted into the Jewson Direct (formerly Jewson Tools Direct) website," the company told customers.
"The code has been identified and removed, and we are investigating the breach of security and any related potential loss of information/personal data.
"No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure."
Jewson's press office did not immediately respond to a request for comment, although a customer service employee confirmed that the business had received many calls regarding the data breach.
The merchant's website, Jewson Direct, is currently offline for what the website says is "some maintenance".
A spokesperson for the UK's data watchdog, the ICO, said: "We are aware of an incident involving Jewson, and will be making enquiries."