560 million customer records exposed via Snowflake. 110,000+ sites compromised via Polyfill.io supply chain. E-commerce companies process millions of transactions — and attackers know exactly where the seams are.
Defining breaches in the retail & e-commerce sector
⚠ Active Threat — Supply Chain JS Compromise
110,000+ e-commerce sites compromised via a single CDN domain.
Polyfill.io — a widely-used JavaScript polyfill CDN — was acquired and modified in early 2024. E-commerce checkout pages that loaded the script were exposed to redirect injections and session hijacking. PCI-DSS 4.0 Requirement 11.6.1 now mandates payment page integrity monitoring specifically to prevent this attack pattern. Download the SMB Phishing Defense Pocket Guide →
E-commerce companies face a combination of payment data exposure, third-party JS dependencies, customer account security, and financial fraud — all simultaneously. Here's where the attacks actually come from.
Attackers inject malicious JavaScript into your checkout page via a compromised third-party script. As customers type their card details, that data copies to an attacker-controlled server. This can persist for months — or years — before discovery. PCI-DSS 4.0 Req. 11.6.1 (March 2025) specifically mandates payment page integrity monitoring to address this pattern.
Your checkout page loads dozens of third-party scripts: analytics, heatmaps, chat widgets, marketing tags, A/B testing tools. Each one is a potential compromise vector. Polyfill.io, FontAwesome, and jQuery CDN have all been weaponized. An attacker doesn't need to breach your network — they just need to compromise one script your site loads.
Leaked username/password combinations from other breaches are automatically tested against your login page. Because most users reuse passwords, a significant fraction will match your accounts. Attackers then lock out the real user, drain stored gift cards, use saved payment methods, or sell the account credentials on dark web markets. Hot Topic (57M accounts, Nov 2024) and The North Face (April 2025) were both credential stuffing victims.
Retail and e-commerce companies make large, frequent wire transfers to overseas suppliers, freight forwarders, customs agents, and marketplace platforms. Attackers impersonate vendors or C-suite executives via compromised email accounts to redirect payment. The FBI IC3 reports $2.9 billion in BEC losses annually with a recovery rate under 10%. The fix is not technical — it's trained human verification before every wire transfer above a threshold.
Demo credentials with no MFA on Snowflake's admin platform gave attackers broad access to 165 Snowflake customer accounts. Ticketmaster: 560 million customer records extracted — ticket history, partial payment cards, contact info. Multiple SEC 8-K disclosures. No network isolation on the platform. No MFA on admin credentials. The breach that defines third-party SaaS risk in 2024.
560M Records · SEC 8-K · No MFA on Snowflakecdn.jsdelivr.net acquired the polyfill.io domain and modified the JavaScript to inject targeted redirects based on visitor IP address — gambling, adult content, phishing pages. 110,000+ websites loading the script in their checkout flow were affected. Google Chrome began blocking the domain in June 2024. PCI-DSS 4.0 Req. 11.6.1 was specifically designed to prevent this attack pattern.
110K+ Sites affected · Checkout integrity compromisedHVAC vendor credentials phished → network pivot to payment systems → BlackPOS malware on POS terminals → 40 million credit/debit card numbers + 70 million customer records. Total cost: $292M+ ($18.5M states, $67M card brands, $85M banks). Third-party vendor access was the initial compromise vector. PCI-DSS violation + vendor risk failure. The case that changed retail cybersecurity forever.
$292M+ Total breach cost · 40M cards · PCI violationCredential stuffing attack via bot infrastructure (named Farm/Glutton) targeted Hot Topic and Torrid accounts. 57 million accounts: email addresses, phone numbers, hashed passwords, partial payment card data. Linked to data compiled from Snowflake breaches. Class action filed in California. The same attack pattern affected The North Face in April 2025.
57M Accounts · Credential stuffing · Class action filedA single breach at an e-commerce company can trigger multiple state and federal regulations simultaneously. Here's what each requires and what the penalty exposure looks like.
| Regulation | Agency | Key Requirement for E-Commerce | Penalty |
|---|---|---|---|
| PCI-DSS v4.0 | Card Brands (Visa, Mastercard, Amex) | Payment page integrity monitoring for card-skimming (Req. 11.6.1); security awareness training for all staff handling cardholder data (Req. 12.6); MFA for all access to cardholder data (Req. 8.4.2); annual penetration testing | $5K–$100K/month |
| CCPA / CPRA | California Attorney General / CPRA Regulations | Right to know, delete, and opt out of sale of personal info; data minimization; vendor contracts (CalOPPA for online operators); 72-hour notice of breach to CA residents for certain incidents | $2,500–$7,500/intentional |
| Colorado CPA | Colorado Attorney General | Consumer data privacy; opt-out rights for sale of personal data; equal visual treatment for opt-out signals; data protection assessments for high-risk processing | Civil penalties up to $20M |
| Virginia CDPA | Virginia Attorney General | Consumer rights to access, delete, correct, and opt out of data sale; controller/processor obligations; data protection assessments; private right of action for data breaches | Civil penalties + private right of action |
| Texas TDPSA | Texas Attorney General | Consumer data rights; opt-out mechanisms; consent requirements for sensitive data; data protection officer requirements for large processors | Civil penalties up to $10M |
| GDPR | EU Data Protection Authorities | Applies to EU-resident customers regardless of where the company is based; lawful basis for processing; 72-hour breach notification; right to erasure; data minimization; cross-border transfer restrictions | Up to €20M or 4% global revenue |
| FTC Safeguards Rule | Federal Trade Commission | Applies to retailers operating installment credit, co-branded cards, or in-house financing; written security program; annual risk assessment; employee training; incident response plan; vendor oversight | $51,744/violation/day |
Generic security training doesn't address the specific attack patterns hitting e-commerce companies. These three drills cover the vectors that have actually breached major retailers — from supply chain JS to invoice fraud.
Walk your development and DevOps teams through the actual Magecart attack chain: how malicious scripts get injected into payment pages, how to audit all third-party JavaScript loaded on your checkout, and how to implement Subresource Integrity (SRI) and Content Security Policy (CSP) headers that detect unauthorized script changes.
Walk your finance and accounts payable team through the BEC attack pattern: how attackers impersonate vendors and C-suite executives via email to redirect wire transfers. This drill covers the callback verification protocol, dual-control wire approval workflows, and the exact steps to take within 72 hours of a suspected fraud incident.
Walk store managers, loss prevention teams, and customer service staff through the social engineering and credential stuffing attack patterns. This drill covers phishing emails targeting retail operations, phone-based impersonation, how to detect account takeover attempts, and what to do when a customer reports suspicious account activity.
No per-seat licensing. No annual contracts. Book a session, train your team, done.
Free Download
10 attack patterns targeting e-commerce and retail operations, the SLAM checklist (Sender, Links, Attachments, Message), and a 30-day quick-start for building a security-aware culture. Directly applicable to your team from day one.
Magecart refers to a collection of threat groups that inject malicious JavaScript into e-commerce websites, particularly Shopify, Magento, and WooCommerce checkout pages. The attack works by compromising a third-party script dependency — a marketing tool, analytics tracker, or chat widget — and inserting a card-skimming script that copies form fields (card number, CVV, expiry, name, address) as the customer fills them in. The data is exfiltrated to a server controlled by the attacker, typically disguised inside a harmless-looking script block. The attacker waits weeks or months before monetizing the data on dark web marketplaces. The customer never knows. The merchant may not know until their bank flags a spike in fraud on their co-branded cards. PCI-DSS v4.0 Requirement 11.6.1 specifically targets this attack pattern with payment page integrity monitoring.
In May 2024, threat actors leveraged credentials stolen via infostealer malware to access Snowflake customer data storage accounts. The attackers used demo/test credentials left on developer environments — credentials that were never rotated and had no MFA. Through Snowflake's platform-level access, they extracted data for 165 Snowflake customers, including Ticketmaster (560 million user records including ticket purchase history, partial payment card data, and contact information). No MFA on Snowflake admin accounts and the absence of network-level isolation meant once credentials were compromised, the attackers had broad platform access. The breach triggered SEC 8-K disclosures from multiple public companies. The lesson: your third-party SaaS vendors are part of your attack surface.
PCI-DSS v4.0 (effective March 31, 2025) applies to any merchant that accepts, processes, stores, or transmits payment card data — including e-commerce businesses that use a hosted payment page or an integrated payment gateway. Requirement 12.6 now mandates formal security awareness training for all staff involved in cardholder data handling. Requirement 11.6.1 requires monitoring the integrity of payment page scripts — directly addressing the Magecart threat. Requirement 8.4.2 requires MFA for all access to cardholder data. The compliance consequence is real: fines of $5,000 to $100,000 per month from card brands, forensic investigation costs, and potential suspension of payment processing capability — which for an e-commerce business is existential.
Polyfill.io was a widely-used JavaScript CDN that polyfilled legacy browser APIs. In February 2024, the domain was acquired by a Chinese company and the script was modified to inject targeted functionality based on visitor IP address — redirecting some users to adult content, betting sites, and phishing pages. Approximately 110,000 websites that loaded the polyfill.io script were affected. E-commerce sites that used Polyfill.io in their checkout flow had their payment pages potentially compromised. In June 2024, Google and Chrome began blocking polyfill.io. Any e-commerce site that used Polyfill.io needs to audit all third-party JS dependencies on their checkout pages, replace Polyfill.io with self-hosted alternatives, and implement Subresource Integrity (SRI) for third-party scripts. This is what PCI-DSS 4.0 Req. 11.6 is designed to prevent.
Business Email Compromise (BEC) targeting e-commerce and retail companies typically follows two patterns: (1) Vendor impersonation — an attacker compromises or spoofs an email from a supplier, freight forwarder, or inventory vendor, then sends updated wiring instructions for a pending invoice. (2) Internal impersonation — an attacker compromises a C-suite or finance executive email, then sends an urgent wire request to accounts payable. For e-commerce companies, the fraud surface includes: overseas suppliers paid by wire (customs, freight, component manufacturers), marketplace payout redirection (Amazon, Shopify, eBay seller account payout changes), and bulk inventory purchase fraud. The FBI IC3 reports $2.9 billion in BEC losses annually with a recovery rate under 10%. The human control is the same every time: verify all payment change requests via callback on a known-good number, never via email contact information.
Credential stuffing is an automated attack where criminals take username/password pairs leaked from other data breaches and automatically test them against your e-commerce login page. Because many people reuse passwords, a significant percentage will match your user accounts. The attacker logs in, changes the password to lock out the real user, updates the email, and either uses stored payment methods or purchases gift cards with saved credit. The costs: chargebacks on fraudulently-used cards (your liability), customer service costs, reputation damage, and potential regulatory action if personal data is exposed. Hot Topic (57M accounts, Nov 2024) and The North Face (April 2025) were both credential stuffing victims. Defenses: MFA on all accounts, bot detection/WAF, rate limiting on login endpoints, and password breach monitoring.
Book a live session today. Sessions are 60–120 minutes, held over Zoom, and built around your e-commerce platform, payment processor, and compliance requirements.