Internet retailer Egghead.com -- which sells software and related products to small- and medium-sized businesses -- Friday revealed a hacker had penetrated its computer systems and may have accessed its customer databases.

Sources inside the credit card industry have reportedly said that as many as 3.7 million card numbers may have been stolen. Egghead.com has not confirmed any credit card number thefts.

"As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit card companies we work with," Egghead.com said in a statement released Friday morning. "They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected."

Egghead.com uses Digital River, an ecommerce service provider based in Minnesota, for its software download store. Marty Boos, vice president of Information Systems for Digital River, said his company has determined that its systems were not involved in the Egghead.com breach. And Boos said that for the 9,000 online stores Digital River operates for clients, customer data -- including credit cards -- are not accessible from the Web.

"You ought to be storing your credit card and customer information in a database that is non-Web accessible," Boos said. "The normal type of architecture is you've got your Web server sitting in a de-militarized zone and they can only talk to the back-end database through some kind of a tunnel. That is the way that most companies that are building stores today are building them."

Egghead.com did not reveal how it learned of the breach, but it said that it has been strengthening its security for many months in "an effort to combat the increasing, industry-wide problem of malicious hacking."

The company said it has retained "the world's leading computer security experts" to investigate its security procedures and conduct an analysis of the intrusion. The company also said it is working with law enforcement authorities who are conducting a criminal investigation.

"We are committed to providing the highest security standards in the industry, a process that has been ongoing and has involved a considerable investment on the part of our company," Egghead.com said in its statement. "Those principles will continue to guide us going forward."

Meanwhile, the FBI is reportedly investigating reports by dozens of online shoppers of fraudulent charges to their credit cards by a mysterious Russian telecommunications firm.

Numerous Internet users have discovered unathorized charges of about $10 on their credit card statements this month, paid to a company called Global Telecom.

The bogus charges were first reported on the message boards at FatWallet.com, a shopping information site. Many online shoppers believe their credit card numbers were stolen somehow during an online transaction at an as yet unidentified e-tailer or e-tailers. Then the card numbers were charged small amounts by Global Telecom, so as to avoid detection.

It's not clear how Global is involved in this scam. The company operates two web sites, at GTELECOM.NET, and at INETPLAT.COM. Both are regisered to Global Telecom Solutions Corp. in Panama. Although the contact info sections at the sites lists a Moscow address. Attempts to reach Global this morning were not successful.

It's also difficult to gauge just how many people have been affected by this scam.

Tim Storm, FatWallet's operator, says his site gets about 13,000 unique visitors each day, and while they may do more online shopping than most Internet users, Storm says the prevalance of users who are reporting Global Telecom charges is alarming.

As to which ecommerce site has coughed up the credit card numbers that are being used to rack up these $10 charges, a spokesperson for Egghead.com today said the company doesn't believe it was the source. Some posters to the fatwallet message boards are speculating that drugstore.com may be the common thread, but Judith McGarry, vice president of Strategic Partnerships for drugstrore.com today said the online company has investigated the rumors and is confident of its security.

In recent days, a computer crook broke into creditcards.com, which processes credit transactions for online companies, and posted some 25,000 credit card numbers on the Internet after a failed blackmail attempt. It's not clear whether those card numbers are the ones involved in the Global Telecom case.

All in all, this rash of online security breeches, coming as it has during the holiday shopping season, is raising some tough new questions about online security, and whether eccommerce firms are doing enough to protect themselves.

Boos of Digital River said it's not enough just to build good defenses against attackers -- he said defenses need to be tested from time to time with outside security audits.

Brian McWilliams of InternetNews Radio contributed to this report.