Heads-up: If you bought plane tickets from Delta, tools from Sears or household goods from Kmart between Sep. 26 and Oct. 12 last year — and you did it online — your name, address and credit card numbers may have been exposed at those companies’ websites.

As far as we understand it, none of those companies’ internal databases were actually breached. Instead, a piece of malware temporarily residing in their online chat service — a chat service provided by [24]7.ai — may have harvested your payment info after you completed a transaction. 

Even if you didn’t use the online chat, you could be affected. “Any customer who entered payment data on delta.com during Sept. 26 to Oct. 17 may have had their information accessed,” a Delta spokesperson told CNET.

In an FAQ, Delta says that multiple hundreds of thousands of its customers could potentially have had data stolen. Sears Holdings, which also owns Kmart, says it believes fewer than 100,000 of its customers were affected by the breach.

It’s not clear if other companies have been affected. A January profile of [24]7.ai listed American Express, AT&T, Best Buy, Citi, eBay, Farmers Insurance and Hilton as possible clients of the chat company as well. A [24]7.ai spokesperson declined to comment, citing confidentiality agreements.

In a press release, however, [24]7.ai says the issue only affected “a small number of our client companies,” and the vulnerability was fixed by Oct. 12 of last year. Both [24]7.ai and Delta say there’s no indication yet that any personal information was actually stolen, only that it could have been.

However, it may be too early to tell, since Delta says it was only informed of the breach on March 28, a little over a week ago. Sears says it was informed in mid-March. 

Delta says it’ll ensure customers won’t be responsible for any fraudulent use of their credit cards, and will offer free credit monitoring. Sears Holdings will offer Sears and Kmart updates at this website.