Macy's website hit by credit-card thieves: What to do

A Macy's store front at a shopping mall in Springfield, Missouri.
(Image credit: damann/Shutterstock)

If you bought anything on the Macy's website between Oct. 7 and Oct. 15 of this year, check your payment-card statements now. 

Macy's sent letters to affected customers last week stating that its website had been infected with card-stealing malware that captures what customers type into input fields on a webpage. The malware may have also purloined customer names, addresses, email addresses and telephone numbers.

Macy's did not state how many customers might have been affected, only telling Bleeping Computer that it was a "small number." We imagine that more than a small number of people might have shopped on for an entire week leading up to the holiday shopping season.

In any case, Macy's says it has brought in the FBI, notified the credit-card brands and hired a digital-forensics firm to analyze the situation. It will also give affected customers a 12-month subscription to Experian's IdentityWorks identity-protection service.

What to do if you think you're a victim

If you get the notification letter from Macy's -- here is a copy -- you should probably sign up for the free identity-protection service. It couldn't hurt.

These thieves are probably just after your credit-card numbers, and if you're a U.S. resident, that's not so bad. You're liable for only $50 of fraudulent credit-card purchases, and that's only if you notice fraud but don't report it to the card issuer within 60 days. That clearly won't apply in this case since all financial parties have already been informed.

Debit-card holders are at greater risk from payment-card theft. They have only two days to report the fraud to card issuers, and during that time their bank accounts could be cleaned out by thieves. We don't recommend shopping online with debit cards for this reason.

The Macy's credit-card thieves could try to steal your identity, but they might not get far unless they have your Social Security/Social Insurance numbers and dates of birth as well. 

Nonetheless, if you're a U.S. resident, get a free up-to-date credit report from one of the Big Three credit-reporting agencies (Equifax, Experian and TransUnion) now by going to

The spectre of Magecart

These so-called Magecart attacks have been plaguing online retailers since about 2015. The original method was to break into the back end of online-shopping sites and infect the Magento open-source e-commerce software used by tens of thousands of online retailers. 

Since then, Magecart has become sort of a generic term for any kind of attack in which crooks break into the administrative interface of a retail website and implant card-stealing malware, no matter what kind of back-end e-commerce software is being used. Other than Macy's, well-known victims include Newegg, Ticketmaster UK and British Airways.

Online credit-card theft, already rampant in Europe, is ramping up in the United States because it's now harder to steal credit cards in brick-and-mortar stores, thanks to the gradual replacement of magnetic-stripe cards with electronic-chip cards.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.