Retail giant Macy's announced it suffered a data breach that compromised customers' personal details, credit and debit card numbers and other information for nearly two months. The company said the breach occurred between April 26 and June 12 this year.
Macy's cyber threat alert tools reportedly detected suspicious login activity by a third party on June 11. The retailer said the third-party was using valid usernames and passwords, obtained from a source other than Macy's, to gain access to customers' accounts.
The company blocked the profiles that seemed to have been breached by the third party.
Compromised information included customers' fill names, addresses, phone numbers, email addresses, dates of birth and debit or credit card numbers with expiration dates. The company noted that Social Security numbers and CVV numbers were not accessed in the breach.
Macy's did not specify exactly how many customers were affected, stating that a "small number of our customers at macys.com and bloomingdales.com" were involved.
"We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures," a Macy's spokesperson said in a statement. "Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.
Macy's has sent out letters to affected customers notifying them that their profile has been blocked and requesting them to change their associated password.
Users have also been advised to monitor their bank and credit statements for any suspicious activity and be on the lookout for potentially fraudulent or deceptive emails, phone calls and phishing attempts to steal additional data.