A notice (PDF) posted by the long-operating department store chain said that, between October 7 and October 15 of this year, a Magecart script was running on the checkout page of its retail website.
The script was able to capture payment card details in two different ways: as it was being entered through the checkout page when placing an order, or if it was stored in the “wallet” page on the Macy’s website and then used to place an order.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website,” the retailer told exposed punters.
“Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com.”
Unfortunately for Macy’s customers, the script got pretty much everything needed for card fraud: card number, security code, and expiration date. Additionally, the malware was able to collect customer names as well as email and mailing addresses and phone numbers.
Macy’s notes that only the webpage was compromised: users who made purchases with the mobile app were not exposed. Experts say that the attack appears to be a rather bog-standard Magecart operation, albeit an extremely successful one.