SessionReaper vulnerability hits Magento and Adobe Commerce stores

A security researcher has discovered a critical flaw in the software that powers thousands of e-commerce websites. The platform, called Magento, and its paid version Adobe Commerce contained a bug that allowed attackers to break into active shopping sessions. Some attackers can even take over the entire store.

The flaw is known as SessionReaper. It allows hackers to pretend to be real customers without needing a password. Once inside, they can steal data, place fake orders, or install tools that collect credit card details.

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – FREE when you join my site CYBERGUY.COM Newsletter

Why is this attack so dangerous?

The problem starts in the part of the system that handles how the store communicates with other online services. Because the program does not properly verify the information it receives, it sometimes trusts data it shouldn’t. Hackers take advantage of this by sending fake session files that the store accepts as real.

SecPod researchers warn that successful attacks could lead to theft of customer data, fake purchases, and even complete control of the store’s server.

Once the attack method was shared publicly, cybercriminals immediately began using it. Security experts at Sansec reported that more than 250 online stores were hacked within a single day. This shows how quickly attacks can spread once a vulnerability becomes public.

Why are so many stores still not protected?

Adobe released a security update on September 9 to fix the issue. Weeks later, about 62% of affected stores still have not installed it. Some store owners fear that the update will break features on their sites. Others simply do not know how serious the danger is.

Every unpatched store remains an open door for attackers who want to steal information or install malicious code.

Major companies, including GOOGLE and DIOR, suffered a massive sales force data breach

How can you stay safe when shopping online?

Although store owners are responsible for resolving the issue, you can still take smart steps to protect yourself when shopping online. These measures can help you detect danger early and keep your personal information safe.

1) Look for warning signs

Always pay attention to how a website behaves. If a page looks weird, loads slowly or displays error messages, it could mean something is wrong behind the scenes. Check for the small lock icon in the address bar that shows that the site is using HTTPS encryption. If it is missing or the site redirects you to an unfamiliar page, stop and close the browser tab immediately. Trust your instincts if you sense something.

2) Be careful with Email links And use a data removal service

Cybercriminals often use fake promotional emails or ads that look like real store offers. Instead of clicking on links in messages or banners, type the store’s web address directly into your browser to avoid phishing pages designed to steal your login details or card information. Because attacks like SessionReaper can expose your personal data to criminal markets, consider using a reputable data removal service that continually scans and deletes your private information, such as your address, phone number, and email, from data broker sites. This reduces the risk of your identity being stolen if your information is leaked through a hacked online store.

While no service can guarantee complete removal of your data from the Internet, a data removal service is truly a smart choice. It’s not cheap, and neither is your privacy. These services do all the work for you by systematically monitoring and scraping your personal information from hundreds of websites. This gives me peace of mind and has proven to be the most effective way to clear your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches to information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free check to see if your personal information really exists on the web by visiting Cyberguy.com

Get a free check to see if your personal information is already on the web: Cyberguy.com

3) Use Powerful antivirus software

Powerful antivirus protection is your silent guardian online. Choose a reputable program that offers real-time protection, safe browsing alerts, and automatic updates. Powerful antivirus software can detect malicious code trying to run on your device, block unsafe sites, and alert you to potential threats. This adds another important layer of defense when visiting online stores that may not be completely secure.

The best way to protect yourself from malicious links that install malware, and potentially access your private information, is to install strong antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for Windows, Mac, Android, and iOS at Cyberguy.com

4) Use secure payment options

Whenever possible, choose payment services that add an extra layer of protection between your bank account and online store. Platforms like PayPal, Apple Pay, or Google Pay do not share your card number with the retailer. This reduces the possibility of your information being stolen if the store is compromised. These payment gateways also offer dispute protection if a purchase turns out to be fraudulent.

5) Shop with trusted retailers

Stick to reputable stores. Reputable brands usually have better security and faster response times when issues arise. Before purchasing from a new website, check its reviews on trusted consumer websites. Look for signs of credibility such as clear contact information, professional design, and verified payment options. A few minutes of research can save you weeks of frustration.

Transunion becomes the latest victim in a major wave of cyber attacks linked to Salesforce, with 4.4 million Americans affected

6) Keep your devices updated

Updates may seem annoying, but they are one of the most effective ways to protect your data. Make sure you have the latest security patches installed on your computer, smartphone, and web browser. Updates often fix the exact types of flaws that hackers use to deploy attacks like SessionReaper. Enable automatic updates if you can, so your devices stay protected without extra effort.

7) Use unique, Strong passwords

If you create accounts on shopping sites, make sure that each account has its own strong password. Avoid using the same password across multiple platforms. Consider using a password manager to generate and store long, random passwords. This way, if one account is hacked, your other logins will remain safe.

Next, check if your email has been exposed in previous breaches. Our #1 password manager (see Cyberguy.com) Choice includes a built-in penetration scanner that checks if your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com

8) Run Two-factor authentication

If the site or payment service offers two-factor authentication, enable it. This adds a second security step, like a code sent to your phone or generated by an app. Even if hackers steal your password, they won’t be able to access your account without a second verification.

9) Avoid using public Wi-Fi networks for purchases

Farmers Insurance data breach exposes 1.1 million Americans

Public Wi-Fi networks in places like cafes, airports, and hotels are often unsecure. Avoid entering payment information or logging into accounts while connected to public networks. If you have to make a purchase while you’re away from home, use a mobile data connection or a reliable VPN to encrypt your activity.

10) Monitor your banking and credit data

Check your financial statements regularly for any unusual activity. Small, unauthorized charges can be early signs of fraud. Report any suspicious transactions to your bank or credit card company immediately so they can freeze your account or issue a new card.

11) Report suspicious activity

If you notice anything strange during or after your online purchase, act quickly. Contact store customer service to report what you saw. You should also inform your payment provider or credit card company so they can block unauthorized transactions. Early reporting can help stop further damage and alert other shoppers to potential dangers.

Key takeaways for Kurt

The SessionReaper attack shows how quickly online threats can appear and how long they can persist when updates are ignored. Even well-known stores can become unsafe overnight. For retailers, installing patches quickly is crucial. For shoppers, staying alert and choosing secure payment methods are the best ways to stay protected.

Click here to download the FOX NEWS app

Would you still shop online if you knew hackers might be hiding behind a store’s checkout page? Let us know by writing to us at Cyberguy.com

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – FREE when you join my site CYBERGUY.COM Newsletter

Copyright 2025 CyberGuy.com. All rights reserved.