Magento Marketplace suffers data breach exposing confidential details of users

Adobe has disclosed a security breach that exposed confidential information of a number of Magento Marketplace users.

In an email to customers, the company admitted that hackers unknown had exploited a security flaw on the Magento website to access the account details of registered users - buyers as well as sellers (developers). 

Magento provides widely used ecommerce software on both an open source and commercial basis. However, it has been repeatedly targeted by scammers following a string of security alerts in recent years - the latest coming only in November. 

The information compromised included usernames, phone number, email addresses, MageID (store usernames), billing addresses, shopping addresses, and limited commercial information. But, Magento's core products and services were not exposed in the incident, the company assured.

While the company didn't reveal when the Magento marketplace website was compromised, it did confirm that the breach was discovered by its security team on 21^st November.

"On November 21, we became aware of a vulnerability related to Magento Marketplace," said Jason Woosley, VP of Commerce Product and Platform at Adobe, in a statement.

"We temporarily took down the Magento Marketplace in order to address the issue. The Marketplace is back online. This issue did not affect the operation of any Magento core products or services," he added.

The company didn't share the total number of affected accounts. It just stated that it had notified all affected account holders directly.

Magento, which was bought by Adobe last year, is one of the most popular e-commerce platforms in the world. Its Marketplace portal is used by thousands of people to buy, sell, and download themes and plugins for Magento-based online stores.

The popularity of Magento has also led to it being persistently targeted by cyber criminals of late.

In May, the cyber security firm RiskIQ said that e-commerce stores running Magento were the prime target for hacking groups running web skimming attacks. Such attacks are typically carried out by installing malicious scripts in web pages to steal payment card details of the customers.

Earlier this month, Magento advised its users to apply the latest security update to protect their ecommerce sites from potential attacks exploiting a remote code execution (RCE) security flaw.

The company said that the vulnerability, indexed as CVE-2019-8144, could allow attackers to inject a malicious payload into a merchant's website site through PageBuilder template methods and then execute the payload.

Earlier in March, researchers at security firm Sucuri found a critical vulnerability in Magento, which left nearly 300,000 online retailers at risk of card-skimming attacks. The researchers said this PRODSECBUG-2198 SQL injection vulnerability could allow cyber-crooks to launch devastating attacks and hijack accounts without authentication.

Comments are closed.