Security company RiskIQ, along with Flashpoint, released a detailed study on Magecart — which they said included several groups — in which the claim was made.
The two companies also said credit card data stolen from customers of the IT firm Newegg was up for sale.
British Airways disclosed in September that the financial and personal details of 380,000 customers had been stolen from its site.
RiskIQ and Flashpoint said there were several Magecart groups:
Group 1 & 2 – Casts a wide net for targeting, likely using automated tools to breach and skim sites. Monetises with a sophisticated reshipping scheme.
Group 3 – Goes for a high volume of targets to go for as many victims as possible, but is unique in the way its skimmer works.
Group 4 – Extremely advanced, this group blends in with its victims' sites to hide in plain sight and employs methods to avoid detection.
Group 5 – Implicated in the breach of Ticketmaster, this group hacks third-party suppliers to breach as many targets as it can.
Group 6 – Extremely selective, only going for top-tier targets, such as British Airways and Newegg to secure a high-volume of traffic and transactions.
RiskIQ and Flashpoint said the Magecart intrusions had first begun in 2o15. The report they released has indicators of compromise for each group.