The nation's largest arts and crafts chain said its subsidiary Aaron Brothers was also attacked, with about 400,000 cards potentially affected.
Irving, Texas-based Michaels said that it has contained the incident, which began last year. It has received "limited" reports of fraud from banks and the payment card brands that are potentially connected to the breach.
The compromised data includes customer information such as payment card numbers and expiration dates. But there's no evidence that other personal information such as names, addresses or PIN numbers were at risk, Michaels said.
Michaels' report comes as many shoppers worry about the safety of their personal data following a massive pre-Christmas security breach at Target Corp. that affected 40 million debit and credit cards.
The details come nearly three months after Michaels disclosed that it may have been a victim of a data breach and that it was working with law enforcement authorities, banks and payment processors.
The company said Thursday that both chains were attacked by criminals using highly sophisticated malware that had not been encountered previously by the two security firms that were conducting the investigation.
"Our customers are always number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused," said Chuck Rubin, CEO of Michaels, in a statement.
The breach at Michaels stores occurred between May 8, 2013 and Jan. 27. The company confirmed that between June 26, 2013 and Feb. 27, 54 Aaron Brothers stores were affected by this malware.
Michaels said that it was offering free identity protection, credit monitoring and fraud assistance services to affected Michaels and Aaron Brothers customers in the U.S. for 12 months.