What is known about the breach
According to the notice sent by Macy’s to affected customers, the breach was discovered on October 15, 2019, after they were alerted to a suspicious connection between macys.com and another website.
“Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com,” they noted.
“The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages: the checkout page – if credit card data was entered and ‘place order’ button was hit; and the wallet page – accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.”
An unnamed researcher told Bleeping Computer that the info-stealing script was included in a legitimate one on the website and that it sent the submitted information to a C&C server at Barn-x.com/api/analysis.php.
The stolen information includes customers’ first and last name, full address, phone number, email address, payment card number, security code and expiration date, but only if these were typed into the two aforementioned webpages.
“Customers checking out or interacting with the My Account wallet page on a mobile device or on the macys.com mobile application were not involved in this incident,” Macy’s claims.
Affected customers have been advised to “remain vigilant for incidents of financial fraud and identity theft” by regularly reviewing their account statements and immediately reporting any suspicious activity to their card issuer.
“You may also contact your card issuer and inform them that your card information may have been compromised. Your card issuer can suggest appropriate steps to protect your account. Payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner,” the company pointed out.
They also offered affected customers free identity protection services for 12 months – an offer they have to take until the end of the month.
Colin Bastable, CEO of security awareness training company Lucy Security, noted that the hackers will not be too disappointed that they only infected two pages on macys.com, given that those were the checkout and wallet pages.
Magecart is not a mystery, he added, and said that one might think that, by now, additional security measures would be added to all websites as a matter of course, before hackers drop in some malicious code.
“For consumers, ‘tis the season to be robbed online. Don’t be fooled by that secure SSL padlock, nor by your browser trusting a website’s ‘secure’ https: prefix,” he added.
“Between now and the New Year’s sales, hundreds of millions of dollars will be up for grabs by online hackers, and the credit card companies have already built in the losses as a cost of doing business.”
This is not the first time Macy’s suffered a data breach. In April 2018, attackers managed to get their hands on the names, passwords and payment card info of 0.5% of customers registered on macys.com or bloomingdales.com (Bloomingdale’s is Macy’s corporate sister company).