NEW YORK—Malicious JavaScript skimming code was recently injected into nearly 2,000 e-commerce sites that were running an older version of Adobe's Magento software, possibly resulting in the theft of payment card data, according to Sanguine Security.
The hackers may have used a zero-day exploit for Magneto that was being sold on a darknet forum, the security firm reports.
Adobe ceased support June 30 for the 12-year-old Magento 1 e-commerce platform that all of the targeted sites were still using. Adobe has urged customers to upgrade to the newer platform, but Sanguine Security's research shows about 95,000 e-commerce sites still rely on the older version, Bank Info Security said.
"Tens of thousands" of consumers' payment card data potentially could have been exposed in this skimmer attack, according to the Sanguine report.
"This automated campaign is by far the largest one that [Sanguine Security] has identified since it started monitoring in 2015. The previous record was 962 hacked stores in a single day in July last year," according to the report.
Sanguine Security did not notify the affected e-commerce sites, but the security firm says it's making the complete list of targeted sites available to law enforcement, Bank Info Security said.