"Macy's is warning customers that the retailer discovered a cyber threat that targeted customer profiles for almost two months. According to a letter mailed to macys.com customers this week, Macy's cyber threat alert tools detected suspicious login activities on June 11. This "suspicious activity" was being done by a third party, who the retailer said obtained the information from a source other than Macy's. From April 26 to June 12, the third party was using valid usernames and passwords to gain access to the customers' accounts... After logging in, the unauthorized party was able to access the customer's full name, address, phone number, email address, birthday and debit or credit card number with expiration dates. Macy's said macys.com accounts do not include CVV numbers that appear on the backs of credit cards or Social Security numbers... The retailer also said it arranged to have AllClear ID provide a year of free identity protection to affected customers." https://www.freep.com/story/money/business/2018/07/06/macys-data-breach-online/763074002/
I think something odd has been going on with Macy's for a while. I had a fraudulent charge on one of my credit cards for $400+ for one of their stores in Ohio last year. I do not live or shop in Ohio. Card was cancelled.
Macy’s Settles Suit Over 2018 Data Breach for Up to $192K June 9, 2020 https://footwearnews.com/2020/business/retail/macys-settles-data-breach-lawsuit-1203002548/