I've been Hacked! Twice! Why eCommerce Security Can’t Wait

In the world of eCommerce, security isn’t optional - it’s essential. Unfortunately, too many online stores and agencies ignore critical security practices, putting customer data and business reputations at risk. I’m sharing my experience with two major hacks on Magento stores to illustrate why every eCommerce platform needs proactive security measures and actions! These real incidents taught me that leaving security until “later” can lead to costly consequences.

Let me walk you through two stories that highlight the importance of taking immediate action on security.

Story 1: “We Don’t Need to Respond to Critical Vulnerabilities” (2015)

In 2015, my team and I were contracted by a large agency to support a store running on Magento Enterprise 1.9.0.x. One day, we received an urgent notification from Magento about a critical vulnerability called the "ShopLift Bug" (SUPEE-5344). This flaw allowed hackers to gain full control over a site, tamper with payments, and even inject code to steal credit card details.

Alarmed, we contacted the agency’s project manager to install the patch immediately, but our emails were ignored for 14 days. Our reminders about this "critical vulnerability" went unanswered. Eventually, we got permission to speak directly to the client—without mentioning that we were contractors.

We set up a call, but as soon as we connected, we were stunned. The client’s HQ had just been raided by the FBI. Their store had been hacked through the ShopLift vulnerability. Hackers had accessed customer data, including credit card information.

Our team spent days cleaning up the attack, securing the code, and rebuilding the trust the store had lost. The merchant was eventually cleared of any wrongdoing, and most customers got their money back. But this experience taught me a powerful lesson: Critical security patches should never be ignored. Delays can lead to serious consequences that are entirely preventable.

Lesson Learned:

Always install critical security patches as soon as they’re available. No project is too busy, and no approval process is too slow to justify leaving your site vulnerable.

Story 2: “We Don’t Need a Code Review” (2016)

The second story takes us to 2016, when we took over a Magento 1 Community Edition store with a custom product designer module. Customers could upload their own images to personalize products. At first, everything seemed fine, but when we asked for permission to conduct a code review, the project owners said no and we, sadly, didn't enforce it.

Then, one day, the merchant received an alarming email: someone claimed they had accessed the store’s server and downloaded the entire customer database.

When reported, the server admins replied that they hadn’t noticed anything suspicious, even though traffic had spiked to 4 GB/s for several minutes. After a quick check, we found an unauthorized SSH key entry in the server’s access files - someone had indeed breached the server.

After investigating, we uncovered the problem: the custom image upload feature allowed users to upload PHP files instead of just images. This meant hackers could upload malicious code and execute it directly on the server. All they needed was a session key, generated when a customer personalized their product. By exploiting this, they gained access to the entire server infrastructure and downloaded sensitive customer data.

We immediately updated the code to prevent any PHP files from being uploaded, limited access to customer-uploaded files, and secured the server with the DevOps team.

Why admins didn't whitelist IP access to production servers? That is still a mistery to me...

Lesson Learned:

Code reviews and security checks are not optional. Even seemingly harmless features, like image uploads, can expose your site to major risks if not properly secured.

Key Takeaways for Developers and Store Owners

These stories highlight the high cost of neglecting security in eCommerce. Hackers are constantly finding new ways to exploit weak spots, and eCommerce sites—especially those handling sensitive payment information—are prime targets. Here’s what every store owner and developer should prioritize:

1. 1. Install Security Patches Immediately: Don’t delay on critical security updates. Hackers actively monitor for new vulnerabilities, so the longer you wait, the more exposed your site becomes.
2. 2. Enforce Regular Code Reviews: Every new feature or code update should go through a thorough security review. This can prevent avoidable vulnerabilities from putting your store at risk.
3. 3. Proactively Secure Customer Data: Customers trust you with their data, and it’s your responsibility to protect it. Implement multi-level security checks on both the code and server level, and limit access to sensitive information.

Final Call to Action: Secure Your Store Now!

For every developer, freelancer, or agency: make security a non-negotiable priority in your projects. Waiting for approvals or ignoring vulnerabilities could end in disaster - for your client, their customers, and your reputation.

If you’re a store owner, demand regular security checks and updates from your developers. Insist that every critical patch be applied immediately and all new features be vetted for security.

Don’t let bureaucracy or budget constraints leave your business vulnerable.

Secure your store now. Your customers trust you, and that trust depends on how seriously you take their security. Be proactive - don’t wait until it’s too late.

I'll end this article with this:

"It's?easier to ask forgiveness than?it is to get permission

Of course, always test patches to ensure they work smoothly and don’t disrupt functionality. But never leave a vulnerable platform online without taking action to secure it.

I’d much rather have a conversation with a merchant about a few extra hours billed for securing the site than a difficult conversation about how their site got hacked because of stuck processes - does not matter on what end.

You don't want to be hacked like Super-Pharm in Poland, do you? I truly wonder who dropped the ball there... guess we will never know. I wonder if it was CosmicSting, or something else....

Thanks, Jakub

P.S. These are just two instances where merchants I work with experienced hacks or data breaches.