Macy’s Hacked In Magecart Attack

As its website has been hacked with code that steals shoppers’ payment information, Macy’s announced it has experienced a data breach. The website was compromised in early October, and a malicious script was added to the My Wallet and Checkout pages, Bleeping Computer reported.

If payment information was sent through those pages at the time they were compromised, according to the outlet, customer information and credit card data was sent to a remote site under control of the attacker. That kind of compromise, which is known as a Magecart attack, involves hackers compromising a website so they can put malicious JavaScript scripts into different sections of the site. Those scripts then take the payment information that a shopper submits.

As Macy’s said in a letter posted by the outlet, “On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.”

The statement continued, “We are aware of a data security incident involving a small number of our customers on Macys.com. We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”

In separate news, a security researcher discovered that credit card-stealing malware was put into the code of the American Cancer Society’s online store. Willem de Groot discovered the malicious code, which was deeply buried and made to appear as analytics code. It was intended to scrape credit card numbers for sale on the dark web or for other malicious activities.

There have been similar attacks on Newegg, British Airways, Ticketmaster and AeroGarden. The attackers were reportedly part of the Magecart hacking group.