Skip to content
Vulnerability exploitOngoing

Magento: 7,500+ sites compromised in a global hacking wave

A global automated campaign exploiting an unauthenticated file-upload weakness in Magento defaced 7,500+ e-commerce sites across 15,000+ hostnames, dropping malicious files on stores tied to brands including Toyota, Fiat, Asus and FedEx.

Victim
Magento

Reported on 18 April 2026, Magento β€” Adobe's widely deployed open-source and Commerce e-commerce platform β€” was the target of a sprawling, automated hacking wave that compromised more than 7,500 online stores across over 15,000 hostnames and subdomains worldwide. First detected by Netcraft around 27 February 2026, the campaign was still spreading at the time of reporting.

The attackers relied on mass internet scanning to find Magento installations with inadequately secured, unauthenticated file-upload mechanisms, a flaw that lets a file be written to a web server without any valid credentials. Once inside, they dropped plaintext files directly on the affected infrastructure. The operation was overwhelmingly a defacement campaign rather than a data heist: the deposited files displayed attacker handles (such as L4663R666H05T, Simsimi, Brokenpipe and Typical Idiot Security) and "greetz" lists to advertise the breach and earn notoriety.

The activity hit Open Source, Enterprise and B2B editions, and touched subdomains, staging and regional sites belonging to well-known brands including Toyota, Fiat, Asus, Bandai and FedEx, alongside French retailers such as Moulin Roty and JeuJouet.com, plus government and academic domains in Latin America and Qatar. Because the campaign was opportunistic and automated, the compromised sites had little in common beyond running a vulnerable Magento stack.

Exposure was limited to:

  • Unauthorized write access to public web directories
  • Attacker-uploaded defacement and marker files

No theft of customer or payment data was confirmed in this campaign, though the same underlying weaknesses can enable far more damaging follow-on attacks. Magento operators were urged to apply available security patches, audit installed extensions, verify server-side files for unauthorized changes, and monitor for anomalous activity. The campaign remained ongoing.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/magento-7-500-sites-compromis-dans-une-vague-mondiale-de-piratage/
  2. securityaffairs.comhttps://securityaffairs.com/189734/hacking/7500-magento-sites-defaced-in-global-hacking-campaign.html
  3. cybersecuritynews.comhttps://cybersecuritynews.com/hackers-compromised-7500-magento-websites/
  4. securityweek.comhttps://www.securityweek.com/thousands-of-magento-sites-hit-in-ongoing-defacement-campaign/

Related incidents

Vulnerability exploitContained

Leak at Oracle Cloud

In late March 2025, a threat actor known as 'rose87168' claimed to have stolen roughly 6 million authentication records from an Oracle Cloud SSO/LDAP endpoint, potentially affecting over 140,000 tenants; Oracle initially denied any breach before privately confirming a compromise to customers.

Victim
Oracle Cloud
Records
6.0M