Michigan State University has confirmed a data breach affecting 2,600 people who purchased items from the online store.

After hacking into the shop.msu.edu website, hackers stole various credit card and personal information. They then inserted malicious code into the site's own code to conduct a web-skimming attack, capturing text entered into form fields by website visitors, specifically credit card numbers.

Bleeping Computer reports that the perpetrators took advantage of a flaw in the Michigan State University website to gain access. However, the university has publicly stated that the flaw has since been fixed.

"Between October 19, 2019 and June 26, 2020, an unauthorized person accessed Michigan State University's online store, shop.msu.edu, and installed malicious code that exposed shoppers' credit card numbers," the university said in a statement." The intrusion was the result of a vulnerability in the website, which has since been addressed."

The school said the hackers accessed customers' "names, addresses, and credit card numbers," but not their Social Security numbers.

The college explained that its security team "promptly fixed the vulnerability" and that it is "cooperating with law enforcement in the investigation."

"Our top priority is to share resources and tools to protect consumers from these cybercriminals so that their information is not further compromised," said Daniel Ayala, interim chief information security officer at Michigan State University. [The security of our IT systems and the people who use them is of utmost importance to MSU. We deeply apologize and understand the concerns of those affected." We are working around the clock to make this right."

Since the vulnerability was discovered and fixed, the university has begun contacting everyone affected by the web-skimming attack.

Michigan State University explains that it is "offering free credit monitoring and identity theft protection to further protect against information breaches."

For those involved in an information breach, the university advised the following steps:

"MSU has invested heavily in information security and will continue to do so. However, investment alone is not sufficient. [But investment alone is not enough," Ayala said. We are determined to dedicate ourselves to this important work, which is vital to protecting all those who use our systems in today's highly technological society."