However, the company says the hackers can't use them to buy anything as they only got hold of the last four digits of the card numbers — and not the name or expiry date on the card.
As for the other 656,723 punters, personal details such as their name, date of birth, email address and mobile phone number have been stolen in the cyber-attack.
"We apologize wholeheartedly to customers and staff who have been affected.
"Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to responds to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence," said JD Wetherspoon chief executive John Hutson.
As for how the hackers who stole the information from the UK's favorite cheap pub chain, it could have been when they signed up for a newsletter, registered with "The Cloud" to access the internet, bought a Wetherspoon voucher online between January 2009 and August 2014 — or by simply submitting a 'Contact Us' form.
As for calling time on the cyber-attack, it was only discovered on 1 December — but actually took place between 15 and 17 June this year.