Macy’s and Bloomingdale's have informed online shoppers of a data breach that lasted nearly two months. 

According to a letter from Macy’s Inc., the department stores’ parent company, an unauthorized party reportedly used stolen usernames and passwords to log into the online accounts of certain Macys.com and Bloomingdales.com customers between April 26 and June 12. While it said only “a small number of our customers” were affected by the breach, it didn’t specify how many and said only that the data was obtained from an outside source.

The breach compromised data such as full names, addresses, phone numbers, email addresses, birthdays, and payment card numbers with expiration dates, according to a July 6 report in the Detroit Free Press. Macys.com accounts do not include CVV numbers that appear on the backs of credit cards or Social Security numbers, according to the retailer.

38980950505_8a6fe07d73_b.jpg

Macy’s cyber threat alert tools detected suspicious login activities on June 11, and on June 12, it blocked the accounts that appeared to have been breached.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” a Macy’s spokesperson said in a statement. “Macy’s Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

Affected accounts will remain blocked until users change their passwords, and emails were sent to customers with the subject line “Important information about your Macy’s online profile.” The retailer has also advised customers to change the passwords to any accounts that share this login information. 

Macy’s is the latest in a string of retailers that have been impacted by data breaches in 2018. In March, MyFitnessPal, the fitness tracking app of Under Armour, suffered a breach that affected approximately 150 million accounts. 

In April, more than five million credit and debit card records were stolen from Lord & Taylor, Saks Fifth Avenue and Saks Off 5th by a hacking group. Later that month, both Best Buy and Sears confirmed that a number of customers had their payment information compromised during the breach of chatbot support services platform [24]7.ai.

In late June, Adidas reported that a “few million” online consumers may have had their data exposed to an unauthorized party.

Stolen retail accounts are currently a hot commodity on the dark markets. With stores adopting point-of-sale systems using more secure EMV payment systems, fraudulent online transactions are increasing.

If you were impacted by the breach or are looking to be more vigilant in safeguarding your data when shopping online, here are some ways to protect yourself:

  • Be wary of creating an online account when checking out. While it is convenient to have all of your shipping, billing, and payment information saved for your next online purchase, it also opens you up to having your data stolen. If you choose to create an account, only do so for stores you shop at often.
  • Use strong passwords and do not repeat passwords across multiple retailer, or other, websites.
  • Remain vigilant for fraud and identity theft by consistently reviewing your banking and credit card statements for unauthorized purchases. If you are one of the customers affected by this breach, notify your debit or credit card companies.

Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.