Macy's customers shopping online may have had their credit card info stolen

Names, addresses, phone numbers and email addresses were also captured in a cyber attack in October.

Corinne Reichert Senior Writer
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News, mobile, broadband, 5G, home tech, streaming services, entertainment, AI, policy, business, politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
Corinne Reichert

Macy's has suffered a data breach.

James Martin/CNET

Macy's has told customers about a data breach on its online shopping site, where credit card information may have been stolen back in October. As reported earlier Tuesday by CNET sister site ZDNet, the breach was caused by a Magecart card-skimming code implanted in the payment portal.

In a letter to customers, Macy's said it was alerted on Oct. 15 of a "suspicious connection" between its site and another. It discovered after investigating that on Oct. 7, unauthorized computer code was added to two pages on macys.com, allowing a third party to capture customer information at the checkout page and the wallet page.

The code was removed by Macy's on Oct. 15.

Macy's says the info accessed could include customer names, addresses, phone numbers and email addresses in addition to payment card numbers, expiries and security codes. Customers using the mobile app were not affected.

The department store has contacted federal law enforcement, as well as Mastercard, American Express, Visa and Discover. It says it has also "taken steps" to prevent it from happening again.

Watch this: Hackers are targeting Facebook accounts to run ad fraud campaigns