Department store chain Macy’s is telling some of its customers to keep an eye out on their online store profiles and card statements for signs of fraud following the discovery of a security breach.
In a letter sent to customers earlier this month, Macy’s says “cyberthreat alert tools” warned it about “suspicious login activities” surrounding some Macy’s online accounts.
“Based on our investigation,” the company said, “we believe that an unauthorized third party, from approximately April 26, 2018 through June 12, 2018, used valid customer user names and passwords to login to customer online profiles.”
“After logging into a macys.com online profile, the unauthorized party was able to access the following information available in the profile: First and Last Name; Full Address; Phone Number; Email Address; Birthday (Month & Day only) and Debit or Credit Card Number with expiration dates,” Macy’s said.
Card CVV numbers and Social Security numbers were not exposed, Macy’s said.
Some Bloomingdale’s accounts also affected
But while the letter warns of a breach of macys.com accounts, in a statement to Bleeping Computer, the company said that some bloomingdales.com accounts were also affected.
The store chain played down the incident and said the security breach involved only a small number of customer accounts.
“This affected only one-half of one percent of our logged in customers,” a Macy’s spokesperson told us.
Macy’s also claims the breach is not of its fault but happened because the hacker(s) obtained customer usernames and passwords from another source.
Macy’s freezes access to compromised accounts
The department store chain says it locked access to all accounts with a suspicious login activity, and users won’t be able to access these accounts unless they reset their password.
Users with locked accounts also received a snail mail letter about the incident. A copy of this letter, obtained by Bleeping Computer, is available here.
The hacks of Macy’s profiles didn’t go unnoticed, as some users reported issues with their accounts’ settings, while others reported that hacker(s) tried to purchase products using their accounts.
Macy’s said it put card companies like Visa, MasterCard, American Express, and Discover on alert, and shared the payment card numbers exposed in the breach so they could watch them for fraudulent transactions.
The department store chain is now urging customers to remain vigilant for incidents of fraud and identity theft. It is also providing free identity protection services.