A US online payment provider has admitted its processing service was used in an attempt to charge money to stolen credit and debit cards.
Several web hosting companies that use the Authorize.Net service to accept card payments online saw large numbers of attempted thefts last weekend.
The transactions were for amounts of up $700 (£400) and involved cards from Visa, MasterCard and American Express.
Authorize.Net acts as a gateway for online transactions, making sure the right merchant receives the correct amount from each card company once a customer’s account is billed.
About 130,000 merchants are supported by the Authorize.Net system, but it was their e-commerce web hosting companies that were wrongly credited with the fraudulent cash amounts.
Thousands of unauthorised transactions led to millions of dollars ending up in the accounts of the web hosting companies.
The fraudsters, using stolen card numbers and other information, are believed to have planned to divert the money to the web hosts, before moving it onto other accounts.
They may also have carried out the online transactions to test which card details worked. Those that went through may now be used for future online purchases of goods.
The transactions were voided by the web hosting companies when they started to receive thousands of automatic e-mail notifications from Authorize.Net pinpointing the suspicious payments.
It is unclear where the fraudsters got the credit card information from or where the security breach lay.
Authorize.Net deies any breach, and says its systems were simply reacting to instructions from the web hosting companies.