Get all the details on Magecart and formjacking attacks and learn how to protect your brand.

Disclaimer - These attacks were made known to the public, but for many no final statement was ever made. We are listing the breaches for public knowledge only after they have been reported to the press.

From April to August 2021, Magecart attackers stole hundreds of payment card records from Cornhole Antics, a seller of game boards and accessories. Payment information was stolen then sold on the dark web. 

CountryMax was attacked from March 2021 to June 2021. More than 1,000 payment cards were compromised from Magecart attacks, then offered for sale on the dark web. 

Pizza Pipeline, a pizza restaurant based in Spokane, Washington, was under attack from December 2020 to May 2021. Information for about 18,000 payment cards were stolen and put on the dark web for sale. 


An online store selling flower, herb, and vegetable seeds, Eden Brothers, was breached from mid-2020 to mid-2021. Almost 14,000 payment card information was stolen and sold on the dark web. 

Vintage Detroit Collection, a retailer of vintage apparel and souvenirs, experienced a Magecart attack from mid-2020 to mid-2021,  where almost 2,000 payment cards were stolen. Three, possibly more, Magecart infections were detected. 

The online store, Savory Spice, was attacked with a Magecart infection from April 2018 to July 2021. Hackers had skimmed data off the checkout page. After the initial infection cleanup, the site was likely reinfected more than once.


Something Special LA was breaded between June 2020 to June 2021. Almost 500 payment cards were comprised and stolen information were put on sale on the dark web. 

In three separate attacks, Magecart cybercriminals stole more than 450 payment card information from customers of The Hyde Store, an online seller of drywall, masonry tools, and more. 

Graduation Outlet experienced an attack that resulted in more than 1,000 stolen payment information. The stolen data had been offered on sale on the dark web. 

Womenswork was attacked between March and June of 2021. Magecart attackers stole over 1,200 customer payment information and sold them on the dark web. 


On July 6, 2020, JM Bullion was alerted to suspicious activity on its website. It was determined that malicious code was present on the website from February 18, 2020 to July 17, 2020, which had the ability to capture customer information entered into the website in limited scenarios while making a purchase.


The mobile network operator has fallen victim to a Magecart campaign designed to steal consumer financial data.


On August 14, 2020 Greenworks was the victim of a sophisticated cyber-attack that may have resulted in a compromise to some of our customers’ credit and debit cards used to make purchases on our e-commerce website between July 14, 2019 and June 30, 2020.

FabFitFun suffered a data breach as the result of formjacking from May 2-6 2020. Customers had their personal information exposed during the breach, including names, addresses, cities, states, zip codes, phone numbers, email addresses, credit card numbers, CVV codes and card expiration dates.

Between April 25 and August 5, Warner Music said hackers compromised “a number of US-based e-commerce” that were “hosted and supported by an external service provider.”


An unauthorized party gained access to Michigan State University’s online store,, and placed malicious code to expose shoppers’ credit card numbers between Oct. 19, 2019 and June 26, 2020


Malicious code was injected into the Claire’s official eCommerce website (and that of its sister store, Icing), starting in late April and took about 7 weeks to uncover.

Bombas alerted its customers to a formjacking attack which appears to have compromised customers’ names, addresses and payment card information. This is the second Bombas data breach reported, following a separate incident of the same nature that the company discovered in November 2014.

Fitness Depot hit by data breach after ISP fails to ‘activate the antivirus’

French Canadian site was injected with credit card skimmer


YogaFit was the victim of a sophisticated cyber-attack that compromised customers’ credit and debit card information.

A card-skimming Magecart malware infection lingered on the British outdoor clothing retailer’s website without detection for nearly eight months despite regular security scans.


Intersport online stores were compromised on April 30 with a geotargeted web skimming attack as customers from Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina were specifically targeted.

British hardware chain Robert Dyas’ website has been hit by credit-card stealing malware that siphoned off customers’ payment details including the long card number, expiry date and security (CVV) code.

Credit-card-stealing criminals have set their sights on the WordPress plugin known as WooCommerce, an e-tailer platform, with a JavaScript-based card-skimming malware.


KandyPens reports that purchases made between March 7, 2019, and February 13, 2020, may have resulted in the loss of credit and debit card data.

Malicious code was injected into the websites of household brand Tupperware is stealing customers’ credit card details.

Magecart Group 8, snuck malicious code onto NutriBullet’s website to collect financial information from customers who purchased blenders and other products from the company. The attack began on Feb. 20 and continues today

The notification reveals that an attacker gained unauthorized access to the company’s web server somewhere around mid last year and stole payment information of customers that were entered into its website for over five months, between August 3, 2019, and January 14, 2020.


Kitchen & Couch was infected on the 19th of February 2020 until the 25th of February 2020.

SoleStar was infected from the 11th of January 2020 until at least the 25th of February 2020.

An Olympic Ticketing website was compromised by a skimmer using the domain for data exfiltration. The malicious script may have been on the website for over 50 days.


When a visitor of the site adds an item to their cart, such as a donation, a malicious credit-card skimmer script named ATMZOW will be loaded into the checkout pages.

Hanna Andersson disclosed that its online purchasing platform was hacked and malicious code was deployed to steal customers’ payment info for almost two months.


The company revealed that it was breached by some sort of cyber attack that targeted customer information. The LifeLabs data breach included lab test results and national health card numbers along with personally identifiable information including names, dates of birth, home addresses and email addresses. Login IDs and passwords appear to have also been compromised in the breach.

Digital skimming hackers have been in action again, this time targeting the website of a leading US gun-maker and its customers.

The web site for UK activewear retailer Sweaty Betty has been hacked to insert malicious code that attempts to steal a customer’s payment information when making purchases. The hackers modified the script to add malicious code to the bottom.

267 million Facebook users IDs and phone numbers exposed online. Most of the affected users were from the United States.


Macy’s confirmed Tuesday that some of its online shoppers’ payment details were compromised after hackers cracked into its “Checkout” and “My Wallet” pages.

An unauthorized party had accessed information related to its customers’ order made from the OnePlus website. The information that has been accessed by the unauthorized party include users’ name, contact number, email and shipping address. However, OnePlus assures that critical information such as payment information, passwords and account details are safe. Moreover, the data breach only affects a select number of OnePlus customers.

It relates to a single file created in 2015 that contained details associated with approximately 3 million customers in UniCredit’s Italian market. The breached document included customer names, telephone numbers, email addresses and cities. It also said that the problem did not extend to any other personal or banking details, nor would the compromised content allow hackers to carry out unauthorized transactions.


If a customer visited or, they may have had their payment card data read and stolen during the three-year timeframe.
The notification letter stressed that the hacker did not have access to medical records. But credit card information could have been stolen at any time during the impacted timeframe.

Active Network said Magecart attackers had hacked Blue Bear, a  third party platform that enables management of school accounting and student fees on behalf of schools, for six weeks from October 1, 2019 to November 13, 2019. Parents who accessed a school website using Blue Bear may have had their personal information stolen.


Data from some Poshmark users was acquired by an unauthorized third party.” The company said that the stolen data “does not include any financial or physical address information” and that it shouldn’t have compromised any passwords.


Breach of third-party collection vendor American Medical Collection Agency (AMCA). Quest Diagnostics, one of the largest blood-testing laboratories in the U.S., announced in June that an unauthorized user had accessed data on nearly 11.9 million patients, including credit card numbers, bank information, Social Security numbers, and medical information, but not laboratory test results. In July, LabCorp reported a similar incident affecting 7.7 million patients. Both exposures were attributed to a data breach at AMCA, a collection agency.


OpenCart sites were hit by the Magecart group to steal credit card information entered by users. OpenCart is in the top three most frequent shopping platforms worldwide

An unauthorized third party accessed some of its user data on May 4, affecting about 4.9 million customers, merchants and DoorDash delivery people who joined the platform on or before April 5, 2018. In this case, the company said not enough information was released for hackers to ring up fraudulent charges.


Hackers planted credit card skimming code on its ecommerce site. Anyone ordering merchandise on or after 20 April 2019 had their name, address, and credit card details stolen by the malicious code, which logs victims’ keystrokes at the point of entry.


Clothing and camping equipment retailer Kathmandu has revealed that an “unidentified third party” may have had access to its online ecommerce website. The third party may have captured customer personal information and payment details entered at check-out


Topps issued a data breach notification stating that it was affected by an attack, which possibly exposed the payment and address information of its customers. “It is possible that this incident compromised names, mailing addresses, telephone numbers, e-mail addresses, and payment information (including credit/ debit number, card expiration date, and security code) for customers who completed a purchase through the Topps website


Fashion site Sixth June leading card data to Magecart hackers

UniCredit Breach Impacts 3 Million Clients


Marriott reported unauthorized access to the database containing guest information related to Starwood properties’ reservations since 2014. Name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences have been stolen. For some guests, the exposed information includes payment card numbers and their expiration dates.

Payment card information of the online flower shop 1-800-Flowers customers has been stolen due to a security issue persistent for about four years. The compromised information includes users’ full names, payment card numbers, expiration date, and card security code.


Stolen data includes passenger name, date of birth, nationality, email, phone number, frequent flyer programme membership number, physical addresses, 245,000 Hong Kong ID card numbers, 860,000 passport numbers, customer service remarks and details related to passenger’s travel history.


Hackers stole the data of anyone who booked a flight through the British Airways website over a two-week period. The pilfered data included login details, payment information, travel booking information, and addresses.

Hackers injected 15 lines of card skimming code on Newegg’s payments page which remained for more than a month. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name — likely to avoid detection. The code also worked for both desktop and mobile customers


Ticketmaster point-of-sale systems were compromised. Personal information compromised includes names, addresses, email addresses, telephone numbers, payment details and login details.


Hackers inject Magecart card skimmer in Forbes’ Subscription Site


Customers’ payment card and contact information may have been compromised after cybercriminals breached the website.Attackers may have obtained information such as name, billing ZIP code, delivery address, email address, and payment card data, including card number, expiration date and CVV.

Cybercriminals accessed Equifax consumers’ personal data, including their full names, Social Security numbers, birth dates, addresses, and driver license numbers. After a settlement with Equifax, consumers can now file a claim for free credit monitoring or a cash payment of $125. If you spent time recovering from the breach or lost or spent money because of the breach, you can request payment of up to $20,000.