The attackers exploited a known vulnerability and installed credit card skimmers on more than 500 websites.