The official Sesame Street online store, along with thousands of other retailers, has been targeted by a credit card-stealing hack.
Card details were collected by a piece of malicious software, dubbed JavaScript Cookie.
The code was found in shopping cart software built by Volusion, which has 20,000 small business customers.
The issue was spotted by a security researcher while shopping for toys on the Sesame Street store.
Volusion has not yet responded to the BBC's request for comment.
Marcel Afrahim, a researcher at security firm Check Point, noticed the malicious code when he was browsing on the Sesame Street Live store.
In a blog, he wrote: "The compromise is not only unique to Sesame Street Store, and most likely any e-commerce website hosted on Volusion is probably running malicious code and posting the credit card info of the consumers to the outsider domain."
He added that he had contacted Volusion but "it had not been responsive to take down down the malicious code."
The Sesame Street site is currently not active. Instead visitors see a message that reads: "We are currently performing scheduled maintenance and updates on the website DLive ."
Volusion provides shopping cart software to thousands of merchants, and according to Mr Afrahim has had 185 million orders placed via its software, amounting to $28bn in transactions.
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://www.msn.com/en-xl/news/other/cookie-monster-eats-data-from-sesame-street-store/ar-AAIvroR
Congratulations @arifcorlu! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOP
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!