If you shopped on Macy’s website in early October, you might want to take a close look at your credit card statement.
The company disclosed in a letter to affected customers that malware was inserted onto its website on October 7 that could have siphoned off credit card data, names, postal addresses, phone numbers, and email addresses for customers who used the macys.com checkout page or updated their payment information.
The unauthorized code was removed October 15. People who used the Macy’s mobile app or updated their account info on a mobile device shouldn’t have been affected, the company says.
Macy’s says it’s working with law enforcement to investigate the breach and taking steps to secure the site so it can’t happen again. In the meantime, the department store giant is offering affected customers a year of Experian IdentityWorks protection and has notified the major credit card networks of the issue.
The company also recommends customers take a look at their statements and promptly report any unauthorized activity. As Macy’s says, U.S. credit and debit card users usually aren’t responsible for unauthorized charges they promptly report to financial institutions.
Similar malware infections, often dubbed Magecart attacks, have affected other major online retailers recently, including Ticketmaster and Newegg, ZDNet reports.