Magento Breach - Ongoing Defacement Campaign Hits Thousands
Basically, many online stores using Magento were hacked and had their websites changed by attackers.
A significant defacement campaign has hit over 7,500 Magento sites, affecting global brands and government services. This widespread attack underscores serious security vulnerabilities. Immediate updates and security measures are crucial to prevent further exploitation.
What Happened
On February 27, a mass defacement campaign targeting Magento sites began, affecting over 7,500 websites. The attacks involved deploying plaintext defacement files across more than 15,000 hostnames. These files often contained the handles of the attackers, with some featuring political messages related to recent geopolitical events. However, these messages appeared for only a short time, suggesting they were not the main goal of the campaign.
According to Netcraft, a digital risk protection platform, the attackers are likely exploiting an unauthenticated file upload vulnerability in Magento. This vulnerability affects various versions of Magento, including Open Source and Adobe Commerce. The campaign has drawn parallels to earlier attacks in October 2025, which exploited the SessionReaper flaw.
Who's Affected
The defacement campaign has impacted a wide range of entities, including global brands like Asus, FedEx, and Toyota. Many of these brands were targeted through their subdomains and regional storefronts. Additionally, several government services and educational institutions in Latin America and Qatar were also affected. Notably, some domains associated with the Trump Organization were part of the defacement.
The broad scope of this campaign raises alarms about the security of e-commerce platforms and highlights the vulnerability of even well-known brands. The fact that both commercial and governmental sites were affected indicates a serious threat landscape.
What Data Was Exposed
While the primary focus of the attackers appears to be defacement rather than data theft, the implications are still significant. The defacement files often included the attackers' handles, which they used to build a reputation within the hacking community. However, the PolyShell vulnerability reported by Sansec could allow attackers to upload executables to any Magento store without authentication, potentially leading to more severe data breaches in the future.
The vulnerability affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, raising concerns about the security of many sites still operating on these versions. The risk of XSS attacks in earlier versions adds another layer of vulnerability.
What You Should Do
To protect against such attacks, site administrators should immediately assess their Magento installations for vulnerabilities. Here are some recommended actions:
- Update Magento: Ensure that your site is running the latest version of Magento to mitigate known vulnerabilities.
- Monitor for Defacement: Regularly check your site for unauthorized changes or defacement.
- Implement Security Measures: Employ security plugins and firewalls to protect against unauthorized access.
- Educate Your Team: Make sure that everyone involved in managing the site understands the importance of security and how to identify potential threats.
By taking these steps, businesses can better safeguard their online presence and reduce the risk of falling victim to similar campaigns in the future.