A huge campaign to deface websites has successfully hacked more than 7,500 unique Magento e-commerce domains, allowing unauthorized text files to be uploaded to more than 15,000 related subdomains This article explores attackers website defacement. . The fact that this campaign is so widespread shows how hard it is for global e-commerce platforms to stay safe, especially those that use environments that aren't patched or are set up wrong.
Early investigations show that the attackers are using a vulnerability in some Magento environments that lets them upload files without being authenticated. The affected versions are found in all parts of the Magento ecosystem, such as Magento Open Source, Magento Enterprise, and enterprise-level Adobe Commerce deployments that use Magento B2B. Security researchers say that the ways the hackers used to get in are very similar to the ways they used in the October 2025 SessionReaper vulnerability.
Cybersecurity company Netcraft first noticed the attacks on February 27, 2026. They use weak infrastructure to host malicious plaintext files directly on the servers that are being attacked. Defacement Strategy and Reasons for Action The main goal of this big campaign is to build a reputation in the underground hacking community, not to steal money or wipe out data.
The hackers who did the defacement left behind digital signatures on the pages, with names like L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security. Example of a defacement page showing the attacker's aliases and a "greetz" message (Source: netcraft) These hacker handles often come with "greetz" lists, which are a common way for attackers in the website defacement subculture to shout out their collaborators and affiliated hacking groups to show that they are trustworthy.
A big effect on brands all over the world Because modern defacement campaigns depend so much on automated mass scanning and taking advantage of common software flaws, attackers were able to compromise a huge number of sites in a very short amount of time. The notifier "Typical Idiot Security" told Zone-H about the pages. (Source: netcraft) This wide-ranging, untargeted method has unintentionally caught a few well-known business groups.
Some of the most well-known commercial brands in the world, such as Toyota, Fiat, Citroën, Asus, FedEx, Yamaha, and Lindt, were among the most affected. The campaign also went after domains linked to the Trump Organization, like trumpstore.com and trumphotels.com, as well as a number of regional government services and academic university domains in Latin America and Qatar.
An example of a compromised staging or regional storefront domain (Source: netcraft) Even though the list of affected victims is scary, the compromises mostly happened to peripheral web infrastructure instead of core internal networks or sensitive customer databases. In most cases, the bad text files were only found in subdomains, staging environments, or regional storefronts. But Netcraft says that a few sites that were in production were affected for a short time before network administrators took steps to fix the problem.
The fact that the targeting was random shows that these well-known groups were not specifically chosen. Instead, they got caught in a bigger net that cybercriminals were using to automate their attacks on weak Magento infrastructure all over the internet.
