diff --git a/src/helpers.ts b/src/helpers.ts
index 9017e16..d6fa54b 100644
--- a/src/helpers.ts
+++ b/src/helpers.ts
@@ -214,8 +214,8 @@ const EMAIL_REGEX = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g;
 const PHONE_REGEX = /(\+?\d{1,3}[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g;
 const API_KEY_REGEX = /\b(sk_live_|sk_test_|api_key_|token_|secret_|key_)[a-zA-Z0-9]{10,}\b/gi;
 const HEX_REGEX = /\b[a-fA-F0-9]{32,}\b/g;
-const CC_REGEX = /\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/g;
-const SSN_REGEX = /\b\d{3}-\d{2}-\d{4}\b/g;
+const CC_REGEX = /\b(?:\d[ -]*?){13,16}\b/g;
+const SSN_REGEX = /\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b/g;
 
 /**
  * Masks sensitive data like emails, phone numbers, API keys, hex strings,
@@ -227,10 +227,10 @@ const SSN_REGEX = /\b\d{3}-\d{2}-\d{4}\b/g;
 export function maskSensitiveData(message: string): string {
   let safeMessage = message;
   safeMessage = safeMessage.replace(EMAIL_REGEX, '***@***.***');
+  safeMessage = safeMessage.replace(CC_REGEX, '****-****-****-****');
   safeMessage = safeMessage.replace(PHONE_REGEX, '***-***-****');
   safeMessage = safeMessage.replace(API_KEY_REGEX, '$1[REDACTED]');
   safeMessage = safeMessage.replace(HEX_REGEX, '[REDACTED_HEX]');
-  safeMessage = safeMessage.replace(CC_REGEX, '****-****-****-****');
   safeMessage = safeMessage.replace(SSN_REGEX, '***-**-****');
   return safeMessage;
 }
diff --git a/tests/unit/helpers.test.ts b/tests/unit/helpers.test.ts
index e33766b..4ea050c 100644
--- a/tests/unit/helpers.test.ts
+++ b/tests/unit/helpers.test.ts
@@ -137,3 +137,20 @@ describe('uiKindToString', () => {
     assert.strictEqual(uiKindToString(vsc.UIKind.Desktop), 'desktop');
   });
 });
+
+describe('maskSensitiveData', () => {
+  const { maskSensitiveData } = require('../../src/helpers');
+
+  it('should mask different formats of credit card numbers', () => {
+    assert.strictEqual(maskSensitiveData("My CC is 1234-5678-9012-3456"), "My CC is ****-****-****-****");
+    assert.strictEqual(maskSensitiveData("My CC is 1234567890123456"), "My CC is ****-****-****-****");
+    assert.strictEqual(maskSensitiveData("My CC is 1234 5678 9012 3456"), "My CC is ****-****-****-****");
+    assert.strictEqual(maskSensitiveData("Amex: 378282246310005"), "Amex: ****-****-****-****");
+  });
+
+  it('should mask different formats of SSN', () => {
+    assert.strictEqual(maskSensitiveData("My SSN is 123-45-6789"), "My SSN is ***-**-****");
+    assert.strictEqual(maskSensitiveData("My SSN is 123 45 6789"), "My SSN is ***-**-****");
+    assert.strictEqual(maskSensitiveData("My SSN is 123456789"), "My SSN is ***-**-****");
+  });
+});