Federal authorities are investigating the theft of credit- and debit-card numbers from supermarkets in Maine and five other states during a security breach that lasted three months.

Hannaford Bros. supermarkets announced the problem Monday, saying it affected more than 250 stores in the Northeast and Florida.

Company officials said up to 4.2 million card numbers were exposed during the breach, which began in December and lasted until March 10. No names, addresses or Social Security numbers were stolen, they said.

There have been 1,800 fraud complaints tied to the security failure thus far. Investigators said they are still looking for a culprit.

The problem could have widespread ramifications in Maine because it affects all of the company's 165 stores in New England and New York.

Experts said the number of cases could rise sharply because many banks and credit unions are still reviewing fraud claims.

In some cases, the fallout will affect even those who do not shop at Hannaford supermarkets.

Some credit unions have decided to reissue all of their debit and credit cards in the wake of the breach, said Jon Paradise, spokesman for the Maine Credit Union League.

Paradise said he expects credit unions to replace more than 100,000 cards in the coming weeks.

Carol Eleazer, a Hannaford spokeswoman, said thieves accessed card numbers and expiration dates as they were being transmitted for authorization in checkout lines.

Eleazer said the company first got wind of the security breach on Feb. 27, when credit-card companies traced "unusual credit-card activity" to Hannaford customers.

A team of computer specialists later determined the data breach started on Dec. 7, but the security problem wasn't fixed until March 10, she said.

Eleazer declined to identify the problem with the card-authorization systems that led to the breach. And she would not specify changes made in response to the security failure or say how it was fixed.

"We will continue to strengthen our security safeguards," Eleazer said.

Card companies told banks and credit unions about the situation late Friday, but did not identify the source or explain the extent of the problem.

Banks began trying to get a sense of whether the data breach was widespread that afternoon.

Their trade associations criticized the company for not coming forward earlier, noting that contractual obligations prevented credit-card companies from naming the source of the breach.

"If, on Friday, we would've known who the retailer was, we could have done more work internally," said Chis Pinkham, president of the Maine Association of Community Banks.

Hannaford took responsibility Monday afternoon, shortly after executives notified Maine Attorney General Steven Rowe of the leak.

The company was required to inform the Attorney General's Office under a recently enacted state law meant to warn consumers of potential fraud.

Assistant Attorney General Linda Conti said her office will work with banks and consumers while federal authorities investigate the crime.

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it's investigating but declined to comment on the scope of the crime.

"The company did contact us, and we are investigating," said agency spokesman Malcolm Wiley.

Spokesmen for the nation's two largest credit-card companies, Visa and MasterCard, said they could not discuss details of the breach.

The companies urged consumers to closely monitor their accounts and notify their banks and credit unions of any unusual transactions.

Hannaford warned customers to watch their credit- and debit-card statements and alert authorities in the event of unusual transactions.

It also told customers to beware of hoax e-mails and calls from people claiming to represent Hannaford...