Magento Marketplace Suffers User-Exposing Data Breach

Last updated May 26, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Magento is an open-source e-commerce platform that is used in more than 100000 online stores and counts over 2.5 million registered users. Its amazing popularity has resulted in the interest of Adobe, who bought it in May 2018 for $1.68 billion. Unfortunately, Adobe has just announced that the Magento Marketplace suffered a data breach which resulted in the exposure of an undisclosed number of users. According to the blog post, the unauthorized third-party who conducted the breach accessed a database that contained both customer and developer data, so buyers and sellers were exposed in this together.

The type of the leaked data includes user names, email addresses, MageIDs, billing address, shipping address, phone number, and various types of commercial information that was provided to the platform. Adobe assures the public that the core product and services haven’t been compromised this time, and this means that the themes and plugins that are hosted on the Marketplace haven’t been infected with malware or a backdoor.

The company states that their IT teams realized the breach on November 21, 2019, and took down the Magento Marketplace immediately in order to secure the database. However, there are no clarifications about whether that date was the moment of the initial infection or if that took place earlier. If the latter is the case, then the question is for how long did the hackers enjoy access to the compromised database? Adobe answers none of this on their announcement, or on the notifications that they are sending over to the affected account holders. How many received these emails also remains a mystery.

magento-marketplace-data-breach

Source: Magento Blog

If you are a registered Magento seller, you should reset your password and also change it from any other platforms that you may be using it as well. Adobe hasn’t mentioned anything about passwords being exposed, but it is very likely that they are included in the leaked data, even in encrypted form. As for the customers who may have been exposed, these will most probably not receive any notifications from Adobe, so it’s up to you to keep an eye on published breaches and take all proper measures to secure your data online. Considering that your email and phone number have been leaked, you should be aware of any unsolicited messages or calls that you may receive from scammers.

Will you be trusting and using Magento from now on? Let us know in the comments down below, or join the discussion on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: