In a filing with the California Attorney General, Macy's said the hacking also involved customers' names, addresses and phone numbers.
The data breach that happened between October 7 and October 15 is likely to affect thousands of customers, TechCrunch reported on Tuesday.
The retail company, however, claimed that only a small percentage of its customers were affected and that it has initiated counter measures, including offering credit card monitoring for affected customers.
"On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019, an unauthorised third party added unauthorised computer code to two (2) pages on macys.com," the company, which has multiple retail stores across the US, said in a statement.
"Our teams successfully removed the unauthorised code on October 15, 2019," it added.
According to BleepingComputer, Macy's has started sending out emails to those who were affected, advising them to monitor their credit card statements for suspicious or fraudulent activity.
"We are aware of a data security incident involving a small number of our customers on macys.com," Macy's was quoted as saying.
"All impacted customers have been notified, and we are offering consumer protections to these customers at no cost."
This is the second time that Macy's has been hit by data breach in recent times.
Last year, Macy's admitted a months long breach where hackers stole credit card data and passwords of about 0.5 per cent of its customer base, on both its website and Bloomingdale's site owned by Macy's.
Macy's said it notified law enforcement agencies and hired "a leading class forensics firm" to help with their investigation.
The company has also contacted relevant credit card brands, including Visa, American Express, Discover, and Mastercard, to notify them of the breach.
The breach is described as the Magecart attack that targeted vulnerabilities in the Magento e-commerce platform.
"It utilised obfuscated Javascript to sit in between Macy's server and the website form where customers enter their credit card details to make a purchase," reported BleepingComputer.
( With inputs from IANS )