Adobe discloses security breach impacting Magento Marketplace users

Security breach was detected last week and traced back to a vulnerability in the Magento Marketplace website.

magento.png

Adobe disclosed today a security breach that impacted users registered on the company's Magento Marketplace, a portal for buying, selling, and downloading themes and plugins for Magento-based online stores.

In an email sent to customers, the company said the point of entry was a vulnerability in the Magento Marketplace website that allowed "an unauthorized third-party" to access account information for registered users.

Impacted users include both regular users who registered on the site to buy themes and plugins for Magento-based online stores, but also plugin and theme developers who were using the portal to sell their code and make a living.

While Adobe didn't say when the hacker exploited this vulnerability, it said that its security team discovered the intrusion last week, on Thursday, November 21.

The vulnerability allowed access to user data such as name, email, store username (MageID), billing and shopping addresses, phone number, and limited commercial information -- such as percentages for payments Adobe made to theme/plugin developers.

Account passwords or financial information were not exposed, Adobe said.

magento-email-breach.jpg

Image via @Hxzeroone on Twitter

"We have notified impacted Magento Marketplace account holders directly," said Jason Woosley, Vice President of Commerce Product & Platform, Experience Business, at Adobe.

The Adobe VP didn't share the total number of impacted accounts. A Magento spokesperson did not comment beyond the company's official blog post.

Woosley said they took down the Magento Marketplace as soon as they learned of the hack in order to address the vulnerability. The store is now back online.

The Adobe exec said the hack didn't result in any outages or disturbances to the company's core Magento products and services, and, at the time of writing, there is no reason to believe that the hacker compromised Magento's core backend or plugins and themes hosted on the marketplace.

Magento is a content management solution (CMS) for building online stores. It comes as a cloud-based services, but also as a self-hostable solution. It is one of today's most popular e-commerce platforms, behind Shopify.

Adobe acquired Magento for $1.68 billion in May 2018.