Magento Marketplace Breach Exposes User Details

Written by

Users of one of the world’s most popular e-commerce marketplaces have been informed that their account information may have been stolen after a data breach at the firm.

The Adobe-owned Magento Marketplace offers thousands of free and premium extensions and themes for users to customize online stores built on the open source platform for e-tailers.

However, the Magento team “became aware of” a vulnerability in the marketplace on November 21, according to a brief statement from Jason Woosley, vice-president of commerce product & platform in Adobe’s experience business.

“We temporarily took down the Magento Marketplace in order to address the issue. The Marketplace is back online. This issue did not affect the operation of any Magento core products or services,” he continued. “We have notified impacted Magento Marketplace account holders directly.”

In an email to affected customers, Magento Marketplace support described the vulnerability as allowing an unauthorized third party to access information including: name, email, MageID, billing and shipping address and phone number, and “limited commercial information.”

Although no passwords or financial information were disclosed, the haul would still allow scammers to attempt follow-on phishing or identity fraud.

It’s unclear how many users were affected, but Woosley claimed the Magento Marketplace is “the largest open source community in e-commerce.”

Magento is no stranger to security incidents: many of the infamous Magecart digital skimming attacks are designed to harvest card data from companies running implementations. In fact, Magento was forced to patch over 30 bugs in an urgent security update earlier this year.

One security company warned earlier this month that slated end-of-support for Magento 1, which powers around 12% of the world’s e-commerce sites, could provide hackers with even more opportunities to target exposed sites.

What’s hot on Infosecurity Magazine?