PORTLAND – A security breach may have exposed the credit card information of people who bought Maine state park passes through an online vendor used by the state Conservation Department, Maine officials said Thursday. The potential breach could be much larger and involve consumers in other states, they said.

The company that handled the online park-pass purchases warned that a malware attack potentially exposed credit cards used in transactions last year from March 21 to Dec. 22, said Conservation Department spokeswoman Jeanne Curran. State officials learned of the problem last month.

Notices were sent to 970 credit card holders in Maine, and no one to date has reported any fraudulent charges, Curran said.

The online transactions were handled by InfoSpherix, a Maryland company and subsidiary of San Diego-based Active Network. A spokeswoman had no immediate comment.

The scope of the security breach was unclear Thursday. Active Network manages online registration, payment processing, donations and transactions for businesses and organizations nationwide.

The company told Maine officials that the problem could go far beyond the state because hackers managed to breach several servers containing credit card numbers and expiration dates, said Assistant Attorney General Thom Harnett. Names associated with those cards were kept on another server, he said.

As a precaution, the Maine Attorney General’s Office alerted attorneys general in other states.

Maine officials said the number of credit cards that may have been exposed was around 1,000. State law required that notifications be mailed to card holders in Maine, and they were advised to report any suspicious activity.