(Michael Ocampo)Three months after craft retailer Michaels announced it may have been the victim of a data breach, the company confirms the worst: nearly 2.6 million consumers’ credit cards are affected. In January, Michaels, a large arts and crafts chain, warned customers that the company “may have experienced a data security attack.” On Friday, the company announced that sometime between May 8, 2013 and January 27, 2014 about 2.6 million or 7% of payment cards used at its stores were compromised. Additionally, nearly 400,000 cards were affected at 54 Aaron Brothers stores, a subsidiary of the company, from June 26, 2013 to February 27, 2014. While officials say the affected systems contained payment card numbers and expiration dates, there is no evidence that data such as customers’ names or personal identification numbers were at risk. “After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” Michaels CEO Chuck Rubin says in a statement to customers on the company’s website.