Magento Marketplace users impacted by Adobe security breach

28 Nov 2019

Image: © rcfotostock/Stock.adobe.com

Adobe detected a security breach last week, which it traced back to a vulnerability in the Magento Marketplace.

Adobe has warned users about a security breach in its system that impacted users registered on the company’s Magento Marketplace.

In an email sent to customers, the company noted that the point of entry was a vulnerability in the Magento Marketplace website. This vulnerability enabled an “unauthorised third party” to access information from account holders.

It became aware of the vulnerability on the day of the intrusion, 21 November 2019, and temporarily took down the e-commerce platform as a result, though it said the issue “did not affect the operation of any Magento core products or services”.

The hacker may have accessed usernames, email addresses, store usernames (also known as MageID), billing and shipping addresses, phone numbers and more. However, Adobe maintains that no financial data or account passwords were exposed.

Some commercial information, such as percentages for payments Adobe made to theme or plugin developers, was also exposed.

Cloud vulnerabilities

Last month, it was reported that Adobe’s 7.5m Creative Cloud accounts were exposed accidentally. Much of Creative Cloud is hosted on Amazon Web Services, including Amazon Elastic Computer Cloud (Amazon EC2). A search database used to search and store large volumes of data on EC2 was found to be exposed by security researcher Bob Diachenko.

Adobe purchased California-based company Magento in 2018 for $1.68bn. The company provides software products to build and run online stores, manage purchases and more, competing directly with Shopify.

Magento boasts clients including Canon, Rosetta Stone and more. Prior to the Adobe acquisition, Magento was acquired by eBay in 2011 and then went private in 2015.

Yesterday (27 November), we reported that approximately one million T-Mobile customers in the US were affected by a security breach. Similarly, though no passwords or financial data were accessed by threat actors, data such as names, billing addresses, account numbers and more were exposed.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com