Spitfire chief executive officer Paul Hynek was told by the company's credit card processor, Online Data, that the scam may have affected as many as 25 other companies.
Online Data president John Rante said that a total of 100,000 fraudulent credit card transactions were involved.
According to Hynek, Online Data approved more than 60,000 of the false charges, worth $5.07 (£3.30) each, on 12 September.
Online Data is a reseller of VeriSign's credit card payment gateway services, which performed the authorisations.
Although about $300,000 (£195,000) in charges were approved by VeriSign, the company stopped the transactions before they were completed, so no money was ever transferred to Spitfire, claimed Hynek. However, the authorisations let the thieves know that those credit cards were valid.
As soon as Online Data became aware of the problem, Rante said, the company worked closely with VeriSign to notify the credit card companies, which then deactivated the cards. Rante said the credit card companies are co-operating with federal authorities investigating the fraud.
If the scam had not been detected, Hynek said, thousands of dollars in fraudulent charges could have been racked up before cardholders became aware of any problem.
Spitfire, whose products include a talking toilet paper holder, learned of the scam when customers who noticed false charges on their accounts began calling the company, Hynek said.
Hynek, Rante and VeriSign spokesman Tom Galvin all said they believe thieves most likely got the credit card numbers by cracking the passwords of the affected merchants.
However, Dan Clements, a credit fraud expert with CardCops.com, disagreed. He said the card frauds may have exploited a hole in the customer database of a large Internet merchant that did not properly secure its Web site.
Read more on IT risk management
Research shows UK web users have become a lot more savvy about online security, but there is still a long way to go, says internet infrastructure firm VeriSign....