Adobe’s Magento Marketplace suffers data breach

Adobe’s Magento Marketplace has suffered a data breach, the company has said in an email sent to customers.

The Magento Marketplace is where the Magento e-commerce Content Management System’s 250,000 customers can access software add-ons including extensions, themes and third-party services.

The company hasn’t said when the breach happened, merely that its security team discovered a vulnerability on 21 November 2019 that had allowed an “unauthorised third party” to access account information.

Data compromised includes names, email addresses, MageID, billing and shipping addresses and phone numbers, plus limited commercial information such as “percentages for payments to developers.”

The email, which can be read in full courtesy of a Twitter user who posted it, continued:

Upon discovery, we immediately launched an investigation, shut down the service and addressed the issue.

No passwords or payment data was compromised, and none of Magento’s core products or services (i.e. software hosted on the site) were affected, the statement added.

The company also posted a brief online statement, although this offers no additional information on the causes of the incident. It refers affected users to the Security Center, which itself has no mention of this specific incident, or what to do about it.

We appreciate all that you are doing to maintain good security hygiene and to keep your Magento instance and extensions current. Please refer to the Magento Security Center to help ensure the security of your Magento store.

The two missing pieces of important information are how many accounts were affected and how long the breach lay undiscovered. On past form, this information will probably never be revealed.

Adobe, of course, infamously suffered one of the largest data breaches ever recorded when 38 million user accounts were compromised in a 2013 incident.

More recently, an Elasticsearch database with customer data for 7.5 million Creative Cloud accounts was discovered in an unsecured state.

Separately, the Magento platform itself has also suffered security flaws, including one from earlier in 2019 that criminals started exploiting only days after researchers made it public.

Adobe acquired Magento for $1.68 billion in 2018.