Card details were collected by a piece of malicious software, dubbed JavaScript Cookie. The code was found in shopping cart software built by Volusion, which has 20,000 small business customers.