Macy's Customers Start Receiving Information on How to Protect Their Accounts After a Data Breach

Surveys suggest that according to users, businesses are responsible for protecting people's personal information and should take all the responsibility after they suffer a data breach. Sometimes, however, things aren't quite as simple as that. For example, last year, some of the customers of apparel retailer Macy's had their personal information compromised by hackers, but the store was hardly the only party to blame. Back then, Macy's was targeted by a credential stuffing attack, and as we all know, a credential stuffing attack can only work if many customers reuse the same old passwords. Macy's doesn't (and shouldn't) have control over how people manage their login data, which means that it can't be held accountable when the inevitable consequences of rampant password reuse present themselves.

Unfortunately, last month, a little over a year after the first attack, Macy's suffered a second one, and this time, things are a bit different.

Macy's suffers a second cyberattack

Earlier this week, a copy of a data breach notification letter surfaced, which revealed that Macy's is informing its customers of a second hacking incident. The message was apparently sent last week, and it states that on October 7, cybercriminals managed to hack into Macy's website and inject malicious code into two of the pages: the checkout page and the Wallet page of the My Account section.

The checkout page is where people enter their credit card details (including card number, CVV code, and expiration date), and as you might have guessed already, the injected script's main goal was to scrape all that data and send it to a server controlled by the attackers. From the My Account section, the hackers were also able to steal names, physical and email addresses, and phone numbers.

Pretty much exactly the same sort of details were stolen during July 2018's attack. The difference is, however, that while the first incident can be blamed on users' poor password hygiene, the responsibility for the second one rests solely with the online retailer.

Magecart was at the bottom of the incident

The attack bore all the characteristics of a Magecart operation from the very start, and sure enough, after taking a look, the experts concluded that this is exactly what it was. Magecart, for those of you who don't know, is not a malware family. It's not a hacking crew, either. Magecart is a collective name used for online credit card skimming operations that employ a particular set of tools and techniques. The popularity of Magecart attacks grew so much over the last couple of years, that this type of skimming is widely considered to be one of the biggest threats to e-commerce businesses nowadays.

Oleg Kolesnikov from Securonix Threat Research Lab told The Register that Macy's suffered a typical Magecart attack. The compromised files had been targeted in previous incidents of this type, and even the Command & Control (C&C) domain had been used by Magecart hackers.

Despite all this, Macy's security team failed to notice the initial intrusion, and they didn't catch the attack until a week later, which means that quite a few credit cards might have been compromised. Unfortunately, the exact number of affected users remains unknown for now.

The data breach notification letter doesn't say how many people fell victim to the attack, and the incident isn't mentioned in a press release or through any of the other official channels. This is probably not the best decision considering the number of people that might be affected by the breach.

To try and brighten their mood, Macy's said in its notification that affected customers can receive 12 months' worth of identity theft protection services from Experian for free. Apparently, however, people don't think that this is enough. After the news broke on Tuesday, the retailer's stock lost close to 11% of its value in a matter of a single day.