Furthermore, researchers also said they found the malicious code to only 6,589 of Volusion's stores, reducing the impact of the breach's initially reported size of 20,000 potentially impacted stores.
However, while the breach was smaller, it wasn't less impactful. Gemini Advisory said today the stolen card data was uploaded a month later, in November 2019, on a dark web hacking forum where it has been up for sale ever since.
Gemini Advisory said it suspects that hackers might have gotten their hands on almost 20 million payment card details during last year's hack, but, for now, it only tracked 239,000 Card Not Present (CNP) records back to Volusion-based stores.
Some of the card details have been sold, Gemini said, estimating that the hackers made nearly $1.6 million in revenue.
In subsequent report following ZDNet's coverage, Trend Micro later attributed the hack to a group known as FIN6, also believed to have been behind other web-skimming (Magecart) incidents, such as British Airways and retail giant Newegg.
A Volusion representative was not immediately available for comment.