Point of sales vendor Lightspeed has been breached with password, customer data, and API keys possibly exposed. Lightspeed has notified customers in an email saying that the information was contained in a compromised database but was not confirmed to be stolen.

It boats more than 38,000 customers transacting US$12 billion annually. The company has been contacted for comment. In a letter sent to customers Lightspeed offered some limited details on the breach. Lightspeed maintains a central database of sales, product and customer information as well as encrypted passwords and API Keys.

Hackers have attacked 20 hotels run by HEI Hotels and Resorts, including Hyatt, Marriott, Starwood and Intercontinental with a targeted malware. The cyberattack may likely have resulted in personal and financial information of thousands of customers being stolen and leaked.

Privately-owned HEI, which is headquartered in Norwalk, Connecticut, confirmed that the data breach was first discovered in June this year and was found to be targeting PoS systems. The firm also said that the malware was specifically designed to steal card data used by customers to make payments. HEI said that the malware affected 12 Starwood hotels.

Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System.

Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments. That's because unlike other PoS malware programs that look for card data in the memory of many processes, Multigrain targets a single process called multi.exe that's associated with a popular back-end card authorization and PoS server.