Macy's is warning customers that the retailer discovered a cyber threat that targeted customer profiles for almost two months.
According to a letter mailed to macys.com customers this week, Macy's cyber threat alert tools detected suspicious login activities on June 11.
This "suspicious activity" was being done by a third party, who the retailer said obtained the information from a source other than Macy's. From April 26 to June 12, the third party was using valid usernames and passwords to gain access to the customers' accounts.
On June 12, Macy's blocked the profiles that seemed to be breached by the third party.
What customers should do
A macys.com customer account will remain blocked until the customer changes the password associated with the profile, according to the letter. You should've received an email notifying you that your profile was blocked.
If you didn't receive an email, Macy's said to check your junk folder for an email with the subject line "Important information about your Macy's online profile." If you can't find the email, Macy's said that your profile still may be blocked and to change the password anyway.
What information was involved
After logging in, the unauthorized party was able to access the customer's full name, address, phone number, email address, birthday and debit or credit card number with expiration dates.
Macy's said macys.com accounts do not include CVV numbers that appear on the backs of credit cards or Social Security numbers.
Macy's suggestions
In the letter, the company said customers should "remain vigilant" for fraud and identity theft.
They also suggested that customers contact their debit or credit card companies to tell them about the data breach.
Macy's also said it strongly encourages customers to change the password for any online account for which you used the same username and password as your macys.com account. Because the third party got the information from a source other than Macy's, that information still could be available.
The retailer also said it arranged to have AllClear ID provide a year of free identity protection to affected customers.