Macy’s Data Breach: Customer Emails, Credit Cards Compromised

Add another name to the growing list of retailers hit with cybersecurity attacks in 2018: Macy’s recently informed customers of a breach that lasted nearly two months this spring.

The department store said that a third party gained access to accounts on Macys.com and Bloomingdales.com using valid usernames and passwords between April 26 and June 12. While it said only “a small number of our customers” were affected by the breach, it didn’t specify how many and said only that the data was obtained from a source other than Macy’s.

The retailer’s cybersecurity tools detected suspicious login activities on June 11, and on June 12, it blocked the accounts that appeared to have been breached. On Twitter, several customers have complained that they were only notified months after the attacks.

If you shop @Macys online, change your username and password now. My account got hacked in May and some mofo attempted to buy crap. Macy’s only just informed me it had suffered a data breach via snail mail. It’s very likely due to the numbnuts @Equifax

— Les Shu (@DT_Les) July 6, 2018

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” a Macy’s spokesperson said in a statement. “Macy’s Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

Watch on FN

This year, more than 5 million credit and debit card records were believed to have been stolen from Lord & Taylor, Saks Fifth Avenue and Saks Off 5th by a hacking syndicate (though only 125,000 of those were immediately offered for sale on the dark web). Soon after, a security incident at Sears compromised nearly 100,000 accounts, while a June breach of Adidas’ website affected a few million customers.

With the login information, the third party would have been able to access customers’ full names, addresses, phone numbers, email addresses, birthdays and debit or credit card numbers with expiration dates (although not security or CVV codes).

Macy’s is advising customers to change the passwords to any accounts that share this login information. Affected accounts will remain blocked until users change their passwords, and emails were sent to customers with the subject line “Important information about your Macy’s online profile.”