The notification warned that compromised data could include names, addresses, phone numbers, email addresses, photo account passwords and credit card information, but there were no reports from any customers with compromised information.

Last week, Walmart Canada warned of a possible similar breach of its online photo website. The Globe and Mail identified the third party as PNI Digital Media.

"We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised," CVS said in a statement on its website homepage. "As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services."

Not one of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including individuals who used in-store photo services.

"More and more, large companies are brought to their knees by small vendors that do not have their IT security policies and procedures in place," Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based security awareness training provider Knowbe4, said. "The defense-in-depth of smaller vendors is lacking and this can cost large companies tens of millions. Target is a good example, their AC vendor was hacked with a phishing attack and that is how the bad guys broke into Target. This is a similar situation here."

According to Krebs on Security, until July 17, PNI Digital Media's company investors page reported that it worked with many retailers. While that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year."

PNI's potential breach comes just a week the Denver-based Service Systems Associates, a third-party operator of concessions and retail services, announced a data security breach that likely affected about 12 of the payments systems it operates for retail gift shops, including locations at zoos, museums and parks across the country.

"Breaches like this have become frighteningly routine," Adam Harder, director of mobile engineering at cybersecurity firm Endgame, commented. "Walmart, CVS and Costco are finding their names in the news and have failed their customers. From a mobile perspective, the CVS mobile app does connect to the CVS photo center."

Because the current trend tightly connects to in-store services, Harder suggested end users need to be wary, even with large, trusted brands, when entering credit card info into a phone app.

 "When it was initially designed, was the CVS mobile app intended to connect to a large third party system like PNI Media's? This breach is a good lesson to users and app developers that a simple thing like a customer loyalty app that didn't initially handle payments can change at a later date, and a third party may one day be trusted with payment data," he said.