The attack, which occurred over roughly six weeks between the end of April and the beginning of June before being shut down, affected consumers registered on Macys.com or Bloomingdales.com.
Logins and passwords were taken from sites unrelated to the retailers and then used to access data on both sites.
“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” a Macy’s spokesperson said in a statement.