With Black Friday and Cyber Monday looming only eight days away, and Magecart’s malware being spotted in more than a few retailer point-of-sale systems, consumers should be aware of which online retailers are the best at protecting their customer’s data.

To come up with a definitive list LastPass tested the websites of the top 10 U.S. retailers based on 2018 e-commerce sales to see which had the best cybersecurity.

Topping the safe, or nice, list was Apple, followed by Best Buy, The Home Depot, Amazon and Quarate Retail Group, which operates a group of retailers including QVC, HSN and zulily.

On the other, less secure, or naughty, side of the list were Costco, Macy’s, eBay, Walmart and Wafyair.

However, even the secure-rated retailers have some security concerns consumers should notice. Only two, Amazon and Apple, use two-factor authentication. LastPass recommended that whenever one signs up for a new retail account to look for, and then agree to, two-factor to provide an additional layer of security.

Another no-no is using social media or Google sign-in credentials to access an e-tail account. While this can be a time saver, it also opens up another attack surface by allowing an attacker to gain access to payment card details just by gaining access to a social media account.

As LastPass noted, Facebook only just disclosed the fact 50 million of its users had their user data exposed and this could be used for malicious purposes.

There was some good news for the top retailers. Eight of the 10 allowed for passwords of up to 20 characters so customers can create complex passwords, and finally, all 10 retailers used HTTPS to secure their sites.