Card details were collected by a piece of malicious software, dubbed JavaScript Cookie. The code was found ... security researcher while shopping for toys on the Sesame Street store.