DES MOINES, IOWA (KMHL) – Internet security expert Krebs On Security says the data stolen in a data breach from Hy-Vee is being sold on the internet.

According to Krebs, one of the more popular underground stores peddling credit and debit card data is selling data from more than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Krebs says the data comes from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee.

Earlier this month, the retailer said it was investigating a possible breach.

In a statement released Aug. 14 Hy-Vee said, it believes the breach does not affect payment card terminals in the grocery checkout lanes, pharmacies or convenience stores.