Department store mainstay Macy’s has sent out data breach notification letters to affected customers of its online shopping site, along with that of its other brand, Bloomingdale’s. The breach, which exposed customers’ usernames, passwords, mailing address email addresses, and payment card information without CVV numbers, has left its investigators scratching their heads in some regards.

According to the legally required filing of the breach with the New Hampshire attorney general’s office, IT experts at Macy’s noticed unusual login activity on June 11, 2018. Specifically, there was a spike in logins that day. By following the login pattern, experts were able to track the attacker’s traffic pattern on both macys.com and bloomingdales.com.

The strange thing is investigators found there was no compromise of Macy’s web security. The attacker didn’t hack into Macy’s website and start rooting around, but rather used information from an outside source to log into Macy’s customers’ accounts and access encrypted payment card information.

In short, someone gained customers’ information—typically from hacking another website or purchasing it online after someone else stole it—and used it to log into other customer accounts on Macys.com and Bloomingdales.com.

This serves as a reminder for people who reuse their login credentials from one site to the next. If you’re someone who reuses a username and password combination, this is the exact scenario security experts have warned you about. The potential for credential cracking becomes higher in these cases.

Upon discovering the attacker’s activity, Macy’s blocked the accounts that had been accessed and purged their stored payment card information. According to the filing with the AG’s office, most of the cards were Macy’s own department store cards. The company is providing identity monitoring through AllClear ID for customers whose accounts were accessed, and encourages all customers to change their passwords on any websites where they used their same login credentials.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.