Popular US administration store chain Macy’s has appear that its website was hacked with awful scripts in an attack to steal customers’ acquittal information.

According to Bleeping Computer, the online storefront — macys.com — was adulterated with “unauthorized code” on October 7 to its ‘Checkout’ and ‘My Wallet’ pages, acceptance the bad actor to abduction credit card data. Macy’s said it was alerted to the bearings on October 15, a full week after the site was breached.

The attackers were able to access abundant claimed information, including the customer’s full name and address, phone number, email address, acquittal card number, acquittal card aegis code, and acquittal card month/year of cessation if they were typed on one of the compromised pages.

Macy’s said it’s investigating the adventure and added it had taken steps to anticipate it from accident in the future. The aggregation also told the advertisement only a small number of users were affected. As a antidotal measure, it’s alms impacted barter one year of free credit monitoring.

We’ve accomplished out to the aggregation for more details, and we’ll update the story if we hear back.

Increasing prevalence of Magecart attacks

Although spotted in the wild since 2010, this kind of advance — dubbed Magecart attack because of the threat actors’ antecedent alternative for Magento e-commerce belvedere to gather adulterous card data — has agitated over the last two years.

The attacks usually absorb hackers compromising a company’s online store to stealthily siphon credit card numbers and annual capacity of users who’re making purchases on the adulterated site by agreement awful JavaScript skimmers on acquittal forms.

“Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving agenda credit card theft,” cybersecurity firm RiskIQ noted in its report on the Magecart actors.

The recent wave of e-skimming attacks have grown so boundless — affecting over 18,000 websites — that it’s led the FBI to issue a admonishing about the arising cyber threat and urging businesses to erect acceptable aegis barriers to assure themselves.

The intelligence agency, in an advising posted last month, recommended that companies keep their software up-to-date, enable multi-factor authentication, choose analytical arrangement infrastructure, and watch out for phishing attacks.

Other aegis measures could accommodate employing obfuscation techniques to mask the actual HTML and JavaScript code the site runs on, so that it makes it difficult for attackers to reverse-engineer a affairs and insert awful scripts.

As a customer, unfortunately, there isn’t much you can do to aegis yourself from formjacking attacks. One course of action is to use a basic acquittal card account such as Blur, MySudo, or Privacy.com.

That way, even if your credit card capacity get compromised, the attackers won’t be able to use it to make crooked payments on your behalf. But the downside to this access is that they’re accessible only to US residents, so you’re out of luck if you live elsewhere.

Read next: Czech gov wants to slap a 7% ad tax on internet giants like Google and Facebook