Macy’s has informed online shoppers of a data breach that lasted nearly two months. The breach affected an unspecified but “small number of our customers,” the retailer revealed in a letter emailed to Macys.com customers last week.
Macy’s cyber threat alert tools detected suspicious login activities on June 11.
An unidentified third party gained access to accounts on Macys.com and Bloomingdales.com using valid usernames and passwords between April 26 and June 12. With that info, the third party logged in to customers’ accounts, and then gained access to names, email addresses, phone numbers, birthdays and payment card information. Macys.com accounts do not include CVV numbers that appear on the backs of credit cards or Social Security numbers, according to the retailer.
Advertisement
On June 12, Macy’s blocked the profiles that seemed to be breached by the third party.
Macy’s will be providing affected customers one year of free identity protection through AllClear ID. In addition, the company also suggested that customers change their passwords and contact their debit or credit card companies to tell them about the data breach.
Macy’s is the latest in a string of retailers that have been impacted by data breaches in 2018. In March, MyFitnessPal, the fitness tracking app of Under Armour, suffered a breach that affected approximately 150 million accounts, Including user names, email addresses and encrypted passwords.
In April, more than five million credit and debit card records were stolen from Lord & Taylor, Saks Fifth Avenue and Saks Off 5th by a hacking syndicate (though only 125,000 of those were immediately offered for sale on the dark web). Later that month, both Sears and Best Buy confirmed that a number of customers had their payment information compromised during the payment breach of chatbot support services platform [24]7.ai. The incident exposed information of nearly 100,000 Sears customers.
Most recently, in late June, Adidas reported that a “few million” online consumers may have had their data exposed to an unauthorized party.
