The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on November 19, 2019

Hackers breached Macy’s website and hijacked customers’ payment info (Updated)

Hackers breached Macy’s website and hijacked customers’ payment info (Updated) Image by: Pixabay / Darwin Laganzon
Ravie Lakshmanan

Popular US department store chain Macy’s has revealed that its website was hacked with malicious scripts in an attempt to steal customers’ payment information.

According to Bleeping Computer, the online storefront — — was infected with “unauthorized code” on October 7 to its ‘Checkout’ and ‘My Wallet’ pages, allowing the bad actor to capture credit card data. Macy’s said it was alerted to the situation on October 15, a full week after the site was breached.

The attackers were able to access detailed personal information, including the customer’s full name and address, phone number, email address, payment card number, payment card security code, and payment card month/year of expiration if they were typed on one of the compromised pages.

An anonymous researcher told Bleeping Computer that a “ClientSideErrorLog.js” script was tainted with malware to harvest payment details, which were then transmitted to a remote command-and-control (C2) server hosted at

Macy’s said it’s investigating the incident and added it had taken steps to prevent it from happening in the future. The company also told the publication only a small number of users were affected. As a corrective measure, it’s offering impacted customers one year of free credit monitoring.

When reached out for a response, a Macy’s spokesperson said: “We are aware of a data security incident involving a small number of our customers on We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”

Increasing prevalence of Magecart attacks

Although spotted in the wild since 2010, this kind of intrusion — dubbed Magecart attack because of the threat actors’ initial preference for Magento e-commerce platform to gather illicit card data — has intensified over the last two years.

The attacks usually involve hackers compromising a company’s legitimate online store to siphon credit card numbers and account details of users who’re making purchases on the infected site by placing malicious JavaScript skimmers on payment forms.

“Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft,” cybersecurity firm RiskIQ noted in its report on the Magecart actors.

The recent wave of e-skimming attacks have grown so widespread — affecting over 18,000 domains — that it’s led the FBI to issue a warning about the emerging cyber threat and urging businesses to erect sufficient security barriers to protect themselves.

The intelligence agency, in an advisory posted last month, recommended that companies keep their software up-to-date, enable multi-factor authentication, segregate critical network infrastructure, and watch out for phishing attacks.

Other security measures could include employing obfuscation techniques to mask the actual HTML and JavaScript code the site runs on, so that it makes it difficult for attackers to reverse-engineer a program and insert card-skimming malware implants.

As a customer, unfortunately, there isn’t much you can do to safeguard yourself from formjacking attacks. One course of action is to use a virtual payment card service such as Blur, MySudo, or

That way, even if your credit card details get compromised, the attackers won’t be able to use it to make unauthorized payments on your behalf. But the downside to this approach is that they’re available only to US residents, so you’re out of luck if you live elsewhere.

If anything, the incident is yet another reminder that you practice good security hygiene, and be on the lookout for any instances of financial fraud or identity theft.

(The story was updated on Nov. 20 8:30 AM IST with a statement from Macy’s.)

Also tagged with

Back to top