Magento Marketplace data breach: PII & billing info of customers compromised

Adobe has announced that its Magento Marketplace e-commerce platform suffered a data breach this month that involved hackers exploiting a security vulnerability to access customers' names, email addresses, billing addresses, phone numbers, and information about payments made to developers.

Magento Marketplace is the world's leading open source e-commerce web platform that enables customers to bring together all their marketing tech in a single place, to manage their content, deliver email campaigns, and automate their buying and selling processes.

A part of Adobe Experience Cloud, Magento Marketplace offers services to the world's biggest retailers, brands, and branded manufacturers across B2C and B2B eCommerce industries and is supported by a global community of around 360,000 developers and innovators.

On Wednesday, Adobe announced that Magento Marketplace suffered a data breach that involved hackers exploiting a security vulnerability to access customers' names, email addresses, billing addresses, phone numbers, and information about payments made to developers. The unauthorised access to customer information was detected by the company on 21 November.

Magento Marketplace breach did not impact user passwords or payment data

In a letter addressed to affected customers, Adobe said that it recently discovered a security vulnerability in the e-commerce platform that resulted in an unauthorised third-party accessing account information related to the platform's account holders.

"The Magento Marketplace account information accessed was the information associated with your Magento Marketplace user account, including name, email, MageID, billing and shipping address information, billing and shipping phone number, and limited commercial information (percentages for payments to developers).

"Upon discovery, we immediately launched an investigation, shut down the service, and addressed the issue. No passwords or financial data (including payment card information) were impacted. None of the Magento core products or services were affected by the issue," the company said.

"At Magento, we believe transparency with our global community of merchants, partners, and developers is important. Magento is the largest open source community in eCommerce. We have all seen the power of this amazing community coming together to solve the most complex problems in commerce, and security is no different.

"We take these issues seriously and are committed to helping ensure our platforms are secure. We are reviewing our processes to help prevent these types of events from occurring in the future," said Jason Woosley, Vice President, Commerce Product & Platform, Experience Business, Adobe.

Magento issued a fix for a critical RCE vulnerability a week prior to the breach

The data breach took place not long after Magento released a number of security patches in October to fix dozens of vulnerabilities that could allow malicious actors to carry out remote code execution, cross-site scripting, and other exploits.

Earlier this month, Magento released another security update to fix a critical vulnerability that could enable "an unauthenticated user to insert a malicious payload into a merchant’s site and execute it". The vulnerability affected Magento Commerce 2.3.1 and Magento Commerce 2.3.2 versions and merchants were urged to update their platforms to newer versions such as Magento Commerce 2.3.3 and the security-only patch 2.3.2-p2.

"We recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade. Applying this hot fix or upgrading as described in this blog will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack," the company said.

ALSO READ: French fashion retailer Sixth June the latest victim of formjacking attacks