Macy's website hacked, customer credit card data stolen at checkout

By JC Torres/Nov. 19, 2019 8:47 pm EST

When you boast to be the world's largest anything, you're practically issuing a challenge not just to competitors but also to criminal elements to try their luck in taking you down. When you are one of the US' largest department stores, you definitely have a large target on your back, tempting hackers to try and make a profit at your customers' expense. That is the horrifying truth that Macy's and "a small number" of its customers have discovered last month after the retailer's online store was compromised, allowing hackers to get away with some shopper's credit card information.

Like all of the worst hacking incidents, this happened silently with none the wiser until an anonymous security researcher tipped Macy's on October 15. By then, however, the data breach has already been in operation for 8 days, running away with critical customer data.

The breach was done courtesy of what was dubbed as the Magecart attack that targeted vulnerabilities in the Magento e-commerce platform. It utilized obfuscated Javascript to sit in between Macy's server and the website form where customers enter their credit card details to make a purchase. For all intents and purposes, the order goes through without a problem on either side of the transaction. Unfortunately, Magecart also sends the payment information to a remote command and control server.

The data that was pilfered by this breach is frighteningly exhaustive. According to Bleeping Computer, the attackers were able to get access to customer's names, addresses, phone numbers, emails, payment card numbers, security codes, and expiration dates. In other words, the exact data needed to use those cards for fraudulent purchases.

The only good thing about this incident is that, unlike a database breach, these pieces of data could only be stolen if the customer put them in the compromised pages. Unfortunately, those pages were the checkout page and the user Wallet page. Still, Macy's claims that only a small percentage of its customers were affected and have already initiated countermeasures, including offering credit card monitoring for affected customers.