The details of more than 200,000 Visa and Mastercard cards were stolen during the recent cyber-breach at credit referencing firm Equifax.
Visa and Mastercard have been sending out confidential alerts - seen by security blogger Brian Krebs - to financial institutions across the US warning about the compromised cards.
Visa says that the window for the exposure is between 10 November 2016 and 6 July 2017, although Equifax says that hackers did not gain access to its systems until the middle of May. The thieves managed to access card account numbers, expiration dates, and cardholder names - enough information for online purchases.
Equifax first admitted that its systems had been breached on 7 September, with hackers exploiting a US website application vulnerability to steal the personal details of approximately 143 million US consumers.
Since then, the company has faced a barrage of criticism adnd the threat of a multiple law suits for the hack and for its response. With an FTC probe on the cards, Senate Minority Leader Chuck Schumer called the breach “one of the most egregious examples of corporate malfeasance since Enron”, while Senator Elizabeth Warren is today introducing legislation designed to give consumers more control over the data credit companies collect.
Some British customers have been affected. Although Equifax says that its UK systems were not hit, a file containing some data was stored in the US. Names, dates of birth and email addresses - but not financial data - of fewer than 400,000 people may have been compromised.
Meanwhile, the alarm has been raised over Equifax's Argentinian website. According to Krebs, an employee portal is protected with the laughable username 'admin' and password 'admin', enabling researchers to break in and find sensitive information.