Macy’s is notifying customers of a data breach involving unauthorized access to their payment card data and personal information.
In a notice sent to affected customers, Macy’s said it first detected suspicious login activity from certain Macys.com accounts on June 11, 2018.
“Based on our investigation, we believe that an unauthorized third-party – from approximately April 26, 2018, through June 12, 2018 – used valid customer user names and passwords to login to customer online profiles,” the retailer said.
The breach also appears to affect customers who shopped on Bloomingdales.com, which is owned by Macy’s.
Compromised information included customer names, home addresses, phone numbers, email addresses and birthdays, as well as debit or credit card numbers with expiration dates.
However, no CVV or Social Security numbers were impacted.
In response to the breach, Macy’s said it has blocked profiles with suspicious logins, advising customers to update their account passwords in order to regain access.