The stolen information could include name, address, email address, phone, and credit or debit card numbers, expiration dates and verification codes, the company said in a notice.
“We greatly value the trust our consumers place in our Company and take very seriously our responsibility to protect sensitive and confidential information that consumers share with us,” it said. “We deeply regret that an incident resulting in the illegal and unauthorized access to data files within our online store occurred.”
It added, “The unauthorized user utilized a sophisticated scheme to illegally obtain this personal information as it was being entered during the online checkout process.”
Smucker's noted that the malware responsible for the breach behaves much like a banking trojan does on PCs, except it’s designed to steal data from web server applications – in this case, the e-commerce site.
“PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting ‘form grabbing’ – capturing any data entered into a form field in the browser before it can be encrypted in the web session and sent to whatever site the victim is visiting,” explained security researcher Brian Krebs. “The malware that tore into the Smucker’s site behaved similarly, ripping out form data submitted by visitors…as customers were submitting the data during the online checkout process.”
Krebs said that the company’s name among a list of targets picked last year by a criminal hacking group targeting vulnerable versions of the Adobe ColdFusion web application platform.
It's unclear yet how widespread the breach was or how many people could be affected – the company said that it will provide updates as information becomes available.