How Hackers Stole Credit Card Numbers From MyPillow Shoppers in 2018

In late 2018, attackers broke into the MyPillow website's checkout process and stole customer credit card information. They pulled off the theft by hiding malicious code on the payment page—code that captured card numbers as shoppers typed them in. The attack lasted roughly two months, from October through November 2018.

The group behind the attack, known as MageCart, has targeted hundreds of e-commerce websites over the years using similar techniques. This incident offers a clear window into how online shopping sites can be vulnerable even when they're not directly hacked in the traditional sense.

How the Attack Worked

The attackers registered a fake website domain called mypiltow.com—notice how similar it looks to the real MyPillow website. They planted malicious code on this fake domain, then found a way to make that code run on MyPillow's actual checkout pages.

When a customer went to buy a pillow and entered their credit card information, the hidden code intercepted that data before it was sent to the legitimate payment processor. The attackers essentially read over the customer's shoulder as they typed.

This is different from hacking directly into MyPillow's computers. The attackers didn't break into the company's main systems. Instead, they compromised the customer-facing pages where payment happens—the part you see in your browser. This approach is surprisingly common because it requires less technical skill than breaking into a company's back-end servers, and it works reliably.

Why This Attack Matters for Online Shoppers

The core problem here is that modern websites use hundreds of small code snippets and services to run. Each one is a potential entry point for attackers. Website builders have to trust that all these pieces work together safely, but coordinating that security across so many moving parts is genuinely hard.

What made the MyPillow attack possible was a gap in how the company monitored what code was actually running on its checkout pages. If you don't actively watch for unauthorized code showing up, you won't notice it's there—especially if the attackers hide it well.

The fact that this attack lasted two months without immediate detection suggests MyPillow's security systems weren't catching unauthorized code as quickly as they should have. This isn't unique to MyPillow; many companies in 2018 weren't set up to spot this kind of attack in real time.

What Websites Should Do

There are straightforward ways to defend against these attacks. Companies can write strict rules about which code is allowed to run on their payment pages—essentially a whitelist that says "only code from these approved sources can execute here." They can also monitor payment pages continuously to catch any unauthorized code that tries to run.

The fake domain approach, where attackers registered mypiltow.com to look legitimate to automated security tools, could be caught earlier through services that watch for look-alike domains registered in the wild. If a security team is actively hunting for typosquatting attempts, they can spot and block them before attackers use them in an actual breach.

The Lasting Lesson

This type of attack has only evolved since 2018. The MageCart groups continue adapting their methods to get around the defenses that companies have put in place. But the fundamental vulnerability—that payment pages are complex, difficult to monitor, and rich targets for theft—remains a core challenge for e-commerce security.

For anyone shopping online, this highlights why it's worth paying attention to which websites you trust with your card, looking for security signals like HTTPS (the padlock in your browser address bar), and monitoring your statements for unauthorized charges. For the companies running those sites, it underscores why investing in real-time monitoring of payment pages isn't optional—it's a basic requirement of doing business responsibly online.