Federal authorities have a consumer warning for shoppers. Hidden skimming devices (commonly thought to be attached to gas station pumps and ATMs) have gone high-tech. "It's hard to put really — definite numbers around it. But one thing we know for sure is that millions of credit card numbers have been stolen, even over the course of the past two years," Herb Stapleton, section chief for the FBI's cyber division told CNBC. This new type of skimming is called e-skimming or Magecart. Cybercriminals can gain access to your personal and credit card information in a number of ways. They can break into a web server directly or break into a common server that supports many online shopping websites to compromise them all and once a site has been compromised, the shopper can't spot the difference.

"It's nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer," Stapleton said. Randy Pargman is the senior director for threat hunting and counterintelligence at Binary Defense, an Ohio-based cybersecurity company that monitors companies' computers for signs of attacks. The company won't disclose its clients but says many are in the retail sector. More from Invest in You:

Meet the 'financial detective' who has saved NBA players from losing millions of dollars to fraud

How to protect yourself from a security breach

Sometimes it pays to have a credit card with an annual fee. Here's what to look for Victims of e-skimming include Macy's, Puma's Australian website, Ticketmaster's United Kingdom website and British Airways. The companies did not respond to requests for comment.

Getty Images