Magento Marketplace Suffers Data Breach, Adobe WarnsE-Commerce Platform User Data Exposed Exploited; Vulnerability Now Fixed
The Magento Marketplace application store suffered a breach that exposed user data, software giant Adobe Systems warns.
Magento is one of the world's most widely used e-commerce platforms.
Adobe says it identified a vulnerability in the e-commerce marketplace on Nov. 21, which was exploited by an "unauthorized third party" to access "account information related to Magento Marketplace account holders," according to an email advisory. The advisory was posted by some users on Twitter.
The exposed data included names, email addresses, usernames - aka MageIDs - as well as billing and shipping addresses, phone numbers and "limited commercial information (percentages for payments to developers)."
The advisory adds: "This issue did not affect the operation of any Magento core products or services," and Adobe said the exploited flaw was "quickly fixed."
Adobe did not say how many users' data was exposed or how long the data breach lasted. Affected users are being contacted by email.
Adobe did not immediately respond to further questions from Information Security Media Group submitted late on Thursday.
Magento, which was acquired by Adobe last year for $1.7 billion, is one of the most popular e-commerce platforms. A 2017 year in review published by Magento said it was being used by 250,000 merchants.
As with any software designed to handle financial transactions, Magento has been persistently targeted by cybercriminals, including by Magecart, which is an umbrella term used to describe groups of attackers that regularly tamper with systems to steal payment card data (see Magecart Group Continues Targeting E-Commerce Sites).
Magecart attacks against Magento continue to escalate. In May, the security vendor RiskIQ wrote that it had detected "some of the most significant Magecart attacks ever carried out."
Yonathan Klijnsma, a threat researcher with RiskIQ, writes that e-commerce shops running Magento are the prime target for groups running web skimming - aka digital skimming - attacks. Such attacks typically involve exploiting vulnerabilities or outdated software to install malicious code that collects payment card details and sends them to a remote server, for later retrieval by attackers.
Attackers quickly abuse new flaws that come to light in Magento. Earlier this month, for example, Magento warned of a serious remote code execution vulnerability, designated CVE-2019-8144.
"Merchants running Magento Commerce 2.3.x should install the latest security update to help protect their stores from potential malicious attacks that could exploit a vulnerability in preview methods," Magento's security advisory reads. "This vulnerability could enable an unauthenticated user to insert a malicious payload into a merchant's site and execute it, which is why we recommend installing this update."
The vulnerability was so serious that Magento added additional defenses to try and prevent attackers from exploiting the flaw. Those changes meant that administrators couldn't view previews for products, or for blocks or dynamic blocks, which allow developers to show certain content to specific audience segment.
E-Commerce Attacks Continue
Klijnsma says that the volume of attacks being directed at Magento or other major e-commerce platforms - including Shopify, OpenCart and OSCommerce - will decline anytime soon.
"Businesses need a continued focus on visibility into their internet-facing attack surfaces, as well as scrutinize of the third-party services that constitute their web applications," he writes. "Magecart's recent ravages have shown that a lot of the investment in securing corporate infrastructure hasn't worked. Companies will continue to be overwhelmed by the scale and tenacity of these kinds of groups, especially as attacks launch from outside the firewall and the data theft occurs in the user's browser."
Warning: Phishing Attacks
Unfortunately, the type of data leaked in the breach that Adobe detected on Nov. 21 could be put to us by attackers, for example, to launch repeat phishing attacks against Magento users.
Earlier this year, the Magento security team issued a warning about active phishing campaigns.
"We are aware of reports that phishing attempts are impersonating Magento and are being used for targeted attacks," the advisory says. "This misleading phishing email encourages users to click on a link that indicates all users are required to register for an alert platform."
The alert advised users to check email headers to ensure an email actually came from Magento, be on the lookout for grammatical errors and to analyze any URLs included in the content to spot potential oddities. The security team also warned users to never install zip files or and other attachments included with purported emails from Magento.
Executive Editor Mathew Schwartz contributed to this report.