Macy’s customer payment information stolen in Magecart data breach
Macy’s has announced that it suffered a data breach due to its website being hacked with malicious scripts that steal payment information from customers.
According to a âData Breach Noticeâ published by Macy’s, their website was hacked on October 7, 2019 and a malicious script was added to the âCheckoutâ and âMy Walletâ pages. If payment information was submitted on these pages while compromised, credit card details and customer information were sent to a remote site under the attacker’s control.
âOn October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately opened an investigation. Based on our investigation, we believe that on October 7, 2019, unauthorized third party added unauthorized computer code on two (2) pages on macys.com The unauthorized code was very specific and only allowed the third party to capture information submitted by customers on both (2) macys pages .com following: (1) the payment page – if the credit card details have been entered and the “place order” button has been activated; and (2) the wallet page – accessible via My account. Our teams successfully removed the unauthorized code on October 15, 2019. “
As part of this breach, attackers were able to gain access to customer information and credit card information which includes first name, last name, address, city, state, zip code, phone number, e-mail address, payment card number, payment card security code, and payment card expiration month / year if submitted on a compromised page.
Macy’s says it was alerted to the hack on October 15, 2019, a full week after the site was hacked and attackers collected payment information.
After the website was cleaned up, law enforcement at Macy’s notified law enforcement and hired “a leading forensic firm” to assist with their investigation. They also contacted all affected credit card brands, including Visa, American Express, Discover and Mastercard to inform them of the breach.
Macy’s told BleepingComputer that only a small number of customers are affected and that they have put additional security measures in place to ensure that it does not happen again.
âWe are aware of a data security incident involving a small number of our customers on Macys.com,â Macy’s told BleepingComputer in a statement. “We have thoroughly investigated the matter, addressed the cause, and implemented additional safety measures as a precaution. All affected customers have been notified and we are providing consumer protection to those customers at no cost.”
Macy’s has started sending emails to affected individuals advising them to monitor their credit card statements for suspicious or fraudulent activity. If anything is detected, consumers should immediately contact their credit card company and dispute the charge.
Macy’s is also offering all users who have been affected by this breach one free year of the Experian IdentityWorks credit monitoring service. Users will be able to register with the attached instructions and the unique identifier assigned to them.
The Magecart attack
A researcher who wishes to remain anonymous for the time being reported the Magecart attack to Macy’s and shared some of its details with BleepingComputer.
When attackers compromised Macy’s website, they modified the https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script to include an obscured Magecart script.
The researcher told us that when a customer submits their payment information, this script launches and sends the submitted information to a command and control server at Barn-x.com/api/analysis.php.
Attackers could then gain access to any stolen payment information by connecting to the command and control server.
Update 11/18/19: Addition of information on the magecart script and the C2 server.