CP
cyberpings
BreachesHIGH

Magento Breach - Ongoing Defacement Campaign Hits Thousands

SWSecurityWeek
MagentodefacementPolyShellNetcraftAdobe Commerce
🎯

Basically, many online stores using Magento were hacked and had their websites changed by attackers.

Quick Summary

A significant defacement campaign has hit over 7,500 Magento sites, affecting global brands and government services. This widespread attack underscores serious security vulnerabilities. Immediate updates and security measures are crucial to prevent further exploitation.

What Happened

On February 27, a mass defacement campaign targeting Magento sites began, affecting over 7,500 websites. The attacks involved deploying plaintext defacement files across more than 15,000 hostnames. These files often contained the handles of the attackers, with some featuring political messages related to recent geopolitical events. However, these messages appeared for only a short time, suggesting they were not the main goal of the campaign.

According to Netcraft, a digital risk protection platform, the attackers are likely exploiting an unauthenticated file upload vulnerability in Magento. This vulnerability affects various versions of Magento, including Open Source and Adobe Commerce. The campaign has drawn parallels to earlier attacks in October 2025, which exploited the SessionReaper flaw.

Who's Affected

The defacement campaign has impacted a wide range of entities, including global brands like Asus, FedEx, and Toyota. Many of these brands were targeted through their subdomains and regional storefronts. Additionally, several government services and educational institutions in Latin America and Qatar were also affected. Notably, some domains associated with the Trump Organization were part of the defacement.

The broad scope of this campaign raises alarms about the security of e-commerce platforms and highlights the vulnerability of even well-known brands. The fact that both commercial and governmental sites were affected indicates a serious threat landscape.

What Data Was Exposed

While the primary focus of the attackers appears to be defacement rather than data theft, the implications are still significant. The defacement files often included the attackers' handles, which they used to build a reputation within the hacking community. However, the PolyShell vulnerability reported by Sansec could allow attackers to upload executables to any Magento store without authentication, potentially leading to more severe data breaches in the future.

The vulnerability affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, raising concerns about the security of many sites still operating on these versions. The risk of XSS attacks in earlier versions adds another layer of vulnerability.

What You Should Do

To protect against such attacks, site administrators should immediately assess their Magento installations for vulnerabilities. Here are some recommended actions:

  • Update Magento: Ensure that your site is running the latest version of Magento to mitigate known vulnerabilities.
  • Monitor for Defacement: Regularly check your site for unauthorized changes or defacement.
  • Implement Security Measures: Employ security plugins and firewalls to protect against unauthorized access.
  • Educate Your Team: Make sure that everyone involved in managing the site understands the importance of security and how to identify potential threats.

By taking these steps, businesses can better safeguard their online presence and reduce the risk of falling victim to similar campaigns in the future.

🔒 Pro insight: Analysis pending for this article.

Original article from

SecurityWeek · Ionut Arghire

Read Full Article

Share

Related Pings

HIGHBreaches

Navia Data Breach - 2.7 Million Users' Sensitive Data Exposed

Navia has confirmed a major data breach affecting 2.7 million users. Sensitive personal and health information was exposed, raising identity theft concerns. Affected individuals are being notified and offered identity protection services.

Cyber Security News·
HIGHBreaches

Identity Theft Surge - SpyCloud's 2026 Report Unveiled

SpyCloud's latest report reveals a sharp rise in non-human identity theft, impacting corporate users significantly. Exposed API keys and session tokens present serious risks. Organizations must enhance their security measures to combat this growing threat.

CSO Online·
HIGHBreaches

Data Breach - Millions of Sears Home Services Records Exposed

A massive data leak at Sears Home Services has exposed millions of customer records. This breach raises serious privacy concerns for affected individuals. Customers are urged to monitor their data for potential misuse.

SC Media·
HIGHBreaches

Breaches - Alleged Crime Stoppers Informant Data Breach

A massive data breach has compromised over 8.3 million records from Crime Stoppers. This incident raises serious concerns about the privacy of tipsters. Individuals who submitted tips may now face risks to their safety. Authorities are investigating the breach and its implications.

SC Media·
HIGHBreaches

Marquis Breach - Over 670K Individuals Affected

A major data breach at Marquis Software Solutions has exposed personal data of over 670,000 individuals. Affected banks and credit unions are now facing significant security risks. Immediate action is necessary to protect personal information and prevent identity theft.

SC Media·
HIGHBreaches

Bitrefill Hack - Lazarus Group Exposed Purchase Records

What Happened In a recent cyberattack, the North Korean hacking group known as Lazarus Group has been implicated in breaching the cryptocurrency e-commerce platform Bitrefill. This incident, which occurred earlier this month, resulted in the theft of approximately 18,500 purchase records. The breach was initiated through the infiltration of Bitrefill's infrastructure after compromising an employee's laptop on March 1.

SC Media·