Hacking and cyber attacks have been the bane of websites since the internet’s creation, and that still hasn’t changed. As security measures get more advanced, so do hacking strategies. Any website being hacked is a serious ordeal, but stakes are elevated in the case of eCommerce due to the sheer amount of sensitive data that can be breached and stolen from online stores.
As a merchant, you want your business to be as secure as possible and your customer’s information safe from bad actors. Unfortunately, while many eCommerce platforms work hard to keep their merchants’ sites safe and secure, some things can slip through the cracks if the proper preventative measures aren’t taken.
Today, let’s go through the details on a few hacked eCommerce platforms and how they were hacked to begin with.
How do eCommerce Platforms Get Hacked?
There isn’t one single answer to the question asking how an eCommerce platform can be hacked. Hacks can have a variety of causes, ranging from human error to code injections. But, before you can understand how eCommerce platforms and online stores can be hacked, we first need to discuss what hacks are, how they’re different from attacks and data breaches, and how web security vulnerabilities allow them to happen.
What is a Hack?
A “hack” occurs when an unauthorized individual uses vulnerabilities and exploits on a website to conduct their activities, which are usually of malicious intent. There’s a seemingly endless list of hacks that can be done on websites, so we’ll go through a few of the most common that you may come across:
SQL, or Structured Query Language, is a code language often used in website databases. In an SQL injection attack, the hacker inserts malicious SQL statements into the website’s backend database. This way, the hacker can access information that may be sensitive, including user names and passwords. Hackers can also modify data in the database, often injecting malicious content into vulnerable fields. SQL injections are most often inserted into login pages to capture the sensitive data being input.
Cross-Site Scripting (XSS)
Cookies are small text files that websites create to be stored on a user’s computer as a way to recognize the user upon repeat visits and keep track of their specific data. In a cookie poisoning hack, attackers manipulate a user’s session cookies to bypass website security and, in essence, impersonate the user. This can allow the hacker to gain unauthorized information, access user accounts or open new accounts on a website.
Website defacement occurs when a hacker gains unauthorized access to a website and changes the visual appearance of the web page. Typically, this type of hack doesn’t deal in stealing sensitive information and is considered to be a type of electronic graffiti. However, a defacement hack can negatively impact your business and brand if seen by your users and customers.
What is a Data Breach?
When a website experiences a data breach, this means that sensitive information was accessed without authorization. This usually includes usernames, passwords, email addresses, and other bits of identifying information. In other cases, data breaches have leaked financial information including sales metrics and credit card numbers. There are several reasons as to why a website can experience a data breach, but the most common are:
- Weak passwords
- Drive-by downloads
- Exploited system vulnerabilities
- Targeted malware attacks
Data breaches have affected some of the largest corporations in the world, with often billions of users being affected. Some of the most notable data breaches include Yahoo with 3 billion victims, Facebook with 540 million victims, Marriott International with 500 million victims, and Equifax with 143 million victims.
What are Security Vulnerabilities?
A security vulnerability refers to a weakness in a website or application that could lead to exploitation by a hacker or bad actor. There are many different types of security vulnerabilities, but the most common are:
Broken Authentication and Session Management
If there’s a vulnerability in a website’s authentication or session management, then this can lead to security issues regarding the identity of users being maintained. In the case of broken authentication and session management, attackers can hijack a user’s active session and assume their identity using their unprotected authentication credentials and session identifiers (like cookies). To prevent a hack using this vulnerability, ensure that your authentication procedures are sound and working properly for all users.
If a website hasn’t been maintained or updated properly, then different aspects of the website may not be configured properly for full security. When a website suffers from security misconfiguration, hackers can get access to private data or features through weakened areas, potentially resulting in complete system compromises. To solve this vulnerability, ensure that all of your site’s elements are up-to-date and work together as to not leave any holes for hackers to weasel into.
Cross-Site Request Forgery (CSRF)
A CSRF vulnerability can be exploited by tricking a user into submitting a malicious request to execute unwanted actions on the website they’re already authenticated on. This type of hack typically requires extra effort in the way of social engineering, but ultimately can result in victims inadvertently transferring funds, changing email addresses and more in the interest of the hacker. In this case, the vulnerability lies in the individual who was tricked; the best way to prevent this would be to properly train all employees with access to your website to teach them how to spot malicious requests.
Arbitrary File Upload
The arbitrary file upload vulnerability is characterized by a file type going unchecked, unfiltered and unsanitized when uploaded to a web application. Since file types aren’t going through any sort of monitoring, an attacker could upload a malicious file script and execute it on the website. At this point, a hacker can execute any command they want, leading to a fully compromised server. To prevent this vulnerability, ensure that your website is monitoring every file that’s uploaded and rejects file types that could potentially be harmful. Additionally you should take care of SQL server monitoring.
What is an Attack?
While most hacks can be considered attacks, not all attacks are hacks. A cyber attack infers that the attacker uses any means necessary to wreak havoc on a website, whether that be through hacking into the website using vulnerabilities or through other means. Often, an attacker could be an insider that has access to your website and uses their information to delete necessary files, steal data or disrupt business in any way.
Most non-hacking attacks can be prevented in two key ways:
- Be sure to remove any unnecessary administrator rights on all applications and operating systems. If an employee doesn’t need administrator rights, then they shouldn’t have them; or else, you may risk a disgruntled employee sabotaging your business.
- All changes to active directories, file systems, exchanges, and MS SQL should be documented. This is to ensure that any changes, which may be destructive, are documented and easily traceable.
However, some attacks aren’t as easy to prevent. One of the most famous examples of a cyber attack that can do major damage is the DDoS attack, which is short for Distributed Denial of Service. These attacks take down your website by overloading your IP address with much more traffic than it’s equipped to handle. This makes it so that legitimate users of your website are unable to access it, resulting in a loss of business. By choosing the right content delivery network (CDN), your website will be better equipped to withstand a malicious DDoS attack.
List of Hacked eCommerce Platforms
In early October 2019, hackers had compromised Volusion’s Google Cloud environment. Once infiltrated, the hackers loaded malicious skimmer code onto more than 6,500 Volusion stores. Their platform was infiltrated by Magecart, which is a group of hackers that had also attacked British Airways, Newegg and Ticketmaster the year prior. The Volusion hack ended up stealing payment information from Volusion merchant’s websites.
As an open-source platform, it’s no surprise that WordPress is a frequent victim of hacks. In 2018, WordPress accounted for 90% of all hacked CMS (content management system) websites. Most of the hacks that WordPress websites experiences had to do with security vulnerabilities found in plugins and themes (which are installed separately), misconfiguration issues, and a lack of maintenance and updates. However, only 36% of the hacked WordPress sites were running an outdated version, so this wasn’t the biggest cause.
Dating all the way back to 2013 and as recently as 2020, merchants with stores on Prestashop have been posting on forums reporting that their sites have been hacked. Most commonly, Prestashop stores are being hacked via security vulnerabilities like:
- SQL injection
- Privilege escalation
- Compatibility issues
- Remote code execution
- Weak passwords and directory permissions
- Arbitrary file uploads
- XSS and zero-day exploits
- “CVE-2017-9841,” a vulnerability in PHPUnit
Like WordPress, Prestashop is an open-source eCommerce software that needs to be installed and hosted by the merchant. Because of this, it’s more vulnerable to hacks that can take advantage of insecure modules that merchants install onto their websites.
In February 2016, Weebly experienced a data breach that affected 43 million of their customers. Weebly wasn’t made aware of the data breach until 8 months later, during which they swiftly alerted all merchants to the breach and advised them to change their passwords. The compromised records contained usernames, passwords, email addresses and IP information. However, Weebly stated that they had no evidence of customer’s websites being improperly accessed. Sites built with Weebly were most likely protected from unauthorized use due to the way passwords are protected on the platform, which is through a salted bcrypt hashing.
In March 2019, Magento 2 stores were the targets of a hack attempt wherein hackers exploited an SQL injection vulnerability in the Magento CMS. Through this exploit, hackers gained access to take over unpatched and vulnerable sites. The vulnerability, called PRODSECBUG-2198, could have been used to plant payment card skimmers, which would steal credit card information from any customer who made payments on a vulnerable Magento 2 store. Thankfully, Magento came up with a patch that merchants needed to install in order to protect their sites from this exploit. Again, Magento is an open-source eCommerce platform, which is inherently harder to secure than its SaaS competitors.
Dating as far back as 2012 and as recent as 2018, OpenCart merchants have been reporting that their admin panels have been hacked. There are multiple ways in which these admin panels are being exploited, including:
- Unknown IP logins to the admin panel
- Multiple unknown admin accounts on the dashboard
- Hundreds of spam emails sent from the server
- Spammy redirects created by rogue server files
- Malicious code injections
- Index file defacements
- Stores blacklisted from search engines
There have been several recorded reasons for these hacks occurring on OpenCart stores. Like most other hacks, SQL injections and cross-site scripting hacks are the most common exploits. Hackers also used cross-site request forgery, remote code execution, and password compromises (due to weak passwords) to gain access to merchant’s stores.
List of Vulnerable eCommerce Platforms
Although Shopify is widely considered to be one of the most secure eCommerce platforms, even they experienced a lapse in security. In October 2019, it was discovered that their new Shopify Exchange app’s API endpoint had a security flaw that could be exploited to leak thousands of store’s revenue and traffic data. After discovering that the app was leaking revenue of two stores, a researcher did further testing using a script and found that 12,100 stores were exposed, 8,700 were vulnerable, and 3,400 were expected to have their data public. Shopify acted swiftly and resolved the data leak in November of the same year.
The popular eCommerce plugin for WordPress was found to have a security vulnerability in April 2019 that had to do with a supplementary plugin: WooCommerce Checkout Manager. This plugin was intended to allow WooCommerce stores to customize forms on their checkout pages – this was used by more than 60,000 stores. The security vulnerability was an arbitrary file upload, which was exploitable if sites had the “Categorize Uploaded Files” setting enabled. This vulnerability could have allowed hackers to execute arbitrary script code on the server and compromise the plugin, modify data or gain administrative access to the website.
OpenCart earns two entries in this article because, in addition to hacks, they’ve had a number of vulnerabilities become uncovered with their platform. In chronological order of software versions, OpenCart has experienced:
- SQL injections with version 1.3.2
- Blind SQL injections with version 126.96.36.199
- SQL injections in ebay.php with version 188.8.131.52
- Remote code execution from versions 184.108.40.206 to 220.127.116.11
- Cross-site request forgery (CSRF) with version 18.104.22.168
These security vulnerabilities have since been resolved by updating your OpenCart software to the latest version, which includes patches for these vulnerabilities. This emphasizes the importance of keeping your eCommerce website up-to-date if you’re running on an open-source platform like OpenCart, WordPress, Magento or Prestashop.
As with OpenCart, PrestaShop also deserves two entries in this article because of its long history of vulnerabilities and hacks. Most recently, the company announced on January 9, 2020 that a malware bot had exploited a vulnerability in their PHP tool, allowing the hackers behind it to seize control of eCommerce stores.
Older versions of the software are particularly unsafe. For example, Version 1.6 and older versions are vulnerable to PrestaShop SQL Injections, which enable hackers to read a website’s database. Unauthorized personnel have given themselves admin privileges and stolen sensitive data by manipulating an encryption bug in Version 22.214.171.124. Other vulnerabilities can be found in the previous section about PrestaShop, and the list is only in that section because people with ill intent discovered those issues before the platform’s engineers.
Finding the Most Secure Platform for Your Business
It’s vital that you keep security a priority when choosing the right eCommerce platform to support your business. If you’re running your online store on an insecure platform, your data and your customer’s data could be at risk. Website security, as you may have noticed throughout this article, is much harder to maintain when you’re running an online store on an open-source platform. It’s on you, the merchant, to constantly keep aware of new security vulnerabilities and software updates so that your store doesn’t get hacked.
On the other hand, a hosted SaaS eCommerce platform is always up-to-date automatically without making you lift a finger. There’s no software to install, so you don’t have to worry about missing an update or misconfiguration that can make your online store vulnerable to bad actors. If you’re using an eCommerce platform like Shift4Shop, then you’ll have access to an unprecedented number of built-in features – you won’t have to worry about downloading and installing a plethora of potentially insecure modules and plugins to get basic features.
If your online store or eCommerce platform has been hacked, or if you have any concerns about the security of the platform you’re using, then feel free to leave a reply and share your story.