A security researcher found a serious weakness in the software that powers thousands of e-commerce sites. The platform, called Magento, and its paid version Adobe Commerce, has a bug that lets attackers break into active shopping sessions. Some attackers can even take control of the entire store.
The flaw is known as SessionReaper. It allows hackers to pretend they are real customers without needing a password. Once they are inside, they can steal data, make fake orders, or install tools that collect credit card details.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter
The problem starts in the part of the system that handles how a store communicates with other online services. Because the software does not properly check the information it receives, it sometimes trusts data that it should not. Hackers take advantage of this by sending fake session files that the store accepts as real.
Researchers at SecPod warn that successful attacks can lead to stolen customer data, fake purchases, and even full control of the store’s server.
Once the attack method was shared publicly, cybercriminals began using it right away. Security experts at Sansec reported that more than 250 online stores were compromised within a single day. This shows how quickly attacks can spread once a vulnerability becomes public.
Hackers are exploiting a new flaw called SessionReaper to hijack active shopping sessions on thousands of e-commerce sites running Adobe Commerce and Magento. (Kurt Knutsson)
Adobe released a security update on September 9 to fix the issue. Weeks later, about 62 percent of affected stores still have not installed it. Some store owners are afraid an update might break features on their site. Others simply do not know how serious the risk is.
Every unpatched store remains an open door for attackers who want to steal information or install malicious code.
MAJOR COMPANIES, INCLUDING GOOGLE AND DIOR, HIT BY MASSIVE SALESFORCE DATA BREACH
While store owners are responsible for fixing the problem, you can still take smart steps to protect yourself when shopping online. These actions can help you spot danger early and keep your personal information safe.
Always pay attention to how a website behaves. If a page looks odd, loads slowly, or shows error messages, it could mean something is wrong behind the scenes. Check for the small padlock symbol in the address bar that shows the site uses HTTPS encryption. If it is missing or the site redirects you to an unfamiliar page, stop and close the browser tab immediately. Trust your instincts if something feels off.
Cybercriminals often use fake promotional emails or ads that look like real store offers. Instead of clicking links in messages or banners, type the store’s web address directly into your browser to avoid phishing pages designed to steal your login details or card information. Since attacks like SessionReaper can expose your personal data to criminal marketplaces, consider using a reputable data removal service that continuously scans and deletes your private information, such as your address, phone number, and email, from data broker sites. This reduces your risk of identity theft if your information has been leaked through a compromised online store.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com
Cybersecurity teams at SecPod and Sansec tracked more than 250 stores breached within 24 hours of the exploit going public, showing how fast these attacks spread. (Kurt "CyberGuy" Knutsson)
Strong antivirus protection is your silent guard online. Choose reputable software that offers real-time protection, safe browsing alerts, and automatic updates. A strong antivirus program can detect malicious code that tries to run on your device, block unsafe sites, and alert you to potential threats. This adds another crucial layer of defense when visiting online stores that may not be fully secure.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com
Whenever possible, choose payment services that add an extra layer of protection between your bank account and the online store. Platforms like PayPal, Apple Pay, or Google Pay do not share your card number with the retailer. This reduces the chance of your information being stolen if the store is compromised. These payment gateways also offer dispute protection if a purchase turns out to be fraudulent.
Stick to stores with a solid reputation. Well-known brands usually have better security and faster response times when issues arise. Before buying from a new website, check its reviews on trusted consumer sites. Look for signs of credibility such as clear contact information, a professional design, and verified payment options. A few minutes of research can save you from weeks of frustration.
TRANSUNION BECOMES LATEST VICTIM IN MAJOR WAVE OF SALESFORCE-LINKED CYBERATTACKS, 4.4M AMERICANS AFFECTED
Updates may seem annoying, but they are one of the most effective ways to protect your data. Make sure your computer, smartphone, and web browser all have the latest security patches installed. Updates often fix the exact kinds of flaws hackers use to spread attacks like SessionReaper. Enable automatic updates if you can, so your devices stay protected without extra effort.
If you create accounts on shopping sites, make sure each one has its own strong password. Avoid using the same password across multiple platforms. Consider using a password manager to generate and store long, random passwords. That way, if one account is compromised, your other logins stay safe.
Next, see if your email has been exposed in past breaches. Our #1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at Cyberguy.com
If a site or payment service offers two-factor authentication, enable it. This adds a second security step, such as a code sent to your phone or generated by an app. Even if hackers steal your password, they will not be able to access your account without that second verification.
Even weeks after Adobe issued a critical patch for the SessionReaper vulnerability, nearly two-thirds of affected online stores remain unprotected, leaving customer data and payment information at high risk of theft. (CyberGuy.com)
FARMERS INSURANCE DATA BREACH EXPOSES 1.1M AMERICANS
Public Wi-Fi networks in places like cafés, airports, and hotels are often unsecured. Avoid entering payment information or logging in to accounts while connected to public networks. If you must make a purchase while away from home, use a mobile data connection or a reliable VPN to encrypt your activity.
Check your financial statements regularly for any unusual activity. Small, unauthorized charges can be early signs of fraud. Report any suspicious transactions to your bank or credit card company right away so they can freeze your account or issue a new card.
If you notice anything strange during or after an online purchase, act quickly. Contact the store’s customer service to report what you saw. You should also inform your payment provider or credit card company so they can block unauthorized transactions. Reporting early can help stop further damage and alert other shoppers to potential risks.
The SessionReaper attack shows how fast online threats can appear and how long they can linger when updates are ignored. Even well-known stores can become unsafe overnight. For retailers, installing patches quickly is critical. For shoppers, staying alert and choosing secure payment methods are the best ways to stay protected.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Would you still shop online if you knew hackers could be hiding behind a store’s checkout page? Let us know by writing to us at Cyberguy.com
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter
Copyright 2025 CyberGuy.com. All rights reserved.
Kids today are growing up in a world where screens, apps, and social platforms are…
The dark web often feels like a mystery, hidden beneath the surface of the internet…
A computer chip so powerful that it fuels today's artificial intelligence is about to leave…
IN TODAY'S NEWSLETTER: - Amazon to cut around 14K corporate jobs- Senate Republican demands Google…
Microsoft's blog recently gave a firm warning: unsupported systems aren't just outdated, they're unprotected. That…
Nike has taken a bold step into the future with Project Amplify, the world's first…