First reported by Bleeping Computer, the letter says payment card information was compromised through a card skimming device at certain Costco locations.
"We recently discovered a payment card skimming device at a Costco warehouse you recently visited. Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating," Costco said in the letter.
"If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date and CVV. We recommend that you check your most recent bank and or credit card statement related to the card above for charges unauthorized by you."
The company said they discovered the card skimmer after an inspection of its pin pads and said law enforcement has been contacted.
The letter added that even if victims have not seen any suspicious charges, they should still call their bank to "discuss possible options for avoiding potential problems in case" their card was inappropriately used.
Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.
The letters come after people wrote on Twitter and Reddit that they had discovered fraudulent charges on their Costco cards and accounts. Some said they began noticing the charges after using their card at Costco gas stations.
"Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes," one Reddit user wrote.
"That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn't even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!"
Card skimmers are a persistent problem on both physical terminals and online e-commerce portals. The problem is so common that Cloudflare created a web security tool to prevent Magecart-style attacks in March.
CRITICALSTART CTO Randy Watkins said these types of physical data theft is typically very isolated, noting that most card skimming devices are used on everything from gas pumps to ATMs, and are typically isolated, only posing a threat to patrons of the breached device.
"The data that the attacker can obtain from the magnetic strip on a card actually depends on the card itself. While things like the credit card number, full name, expiration, and country code is universal, other cards can contain additional information like billing address or rewards account numbers. Consumers should make a habit of checking card slots for any foreign devices (internal or external) before swiping their card," Watkins told ZDNet.
Armen Najarian, chief identity officer at Outseer, said the Costco breach underscores the urgency for better payment security anywhere a transaction happens.
"As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes," Najarian said.
"All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike."
Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide.