Release line reached end of life on June 30, leaving stragglers open to attack

More than 200,000 e-commerce websites were still running on the Magento 1 platform last week, six days after Adobe discontinued support for the release line, new research has revealed.

The vast majority (95%) of these Magento installations posed a ‘high’ or ‘critical’ security risk, according to a vulnerability scan conducted by Foregenix on July 6.

Foregenix’s WebScan, which monitors about 240,000 Magento merchants around the world, found that the number of sites still running on Magento 1 fell from 206,021 on May 27 to 201,267 – a drop of only 1.69%.

This followed a similarly modest drop of 1.16% between April and May.

Two years’ notice

Announcing the decision to shelve Magento 1 in September 2018, Adobe gave websites nearly two years’ notice to migrate from the 12-year-old release line before it reached end-of-life status on June 30, 2020.

A report (PDF) documenting Foregenix’s findings revealed that security vulnerabilities were also widespread among Magento 2 websites, with half (49%) of merchants running the latest release line presenting a ‘high’ or ‘critical’ risk.

Foregenix classifies websites as high risk if they have missing critical framework security patches, known framework vulnerabilities, security issues with the website setup, or non-card harvesting malware on their systems.


Read more of the latest e-commerce security news


The UK-based cybersecurity company discovered that hundreds of websites were infected with malware loaders and skimmers used by cybercrime groups like those operating under the Magecart umbrella to exfiltrate payment information from compromised web pages.

Of the Magento sites infected with malware, 79.6% were running Magento 1 and 20.4% were powered by Magento 2.

Around 2,000 Magento sites were said to have been breached in each of May, June, and July.

Low migration rates

“Migration rates are very low,” Benjamin Hosack, co-founder and director of Foregenix, told The Daily Swig.

He said the company plans to update the Magento 1 installed base report every fortnight.

“We really need to get the story out there, as it is our belief that most of these sites simply don’t realise that their risk profile has changed so drastically in the last few weeks (and will continue to get worse),” he continued.

“Most will probably be thinking about the costs and challenges associated with migrating, rather than the risk and costs of a data compromise.”


Magento 1 reached end of life on June 30, 2020

Update your shopping cart

Magento recently issued its final ever security patch for Magento 1, which included mitigations for two serious security vulnerabilities, as reported by The Daily Swig on June 25.

Merchants who haven’t yet migrated from Magento 1 are advised to urgently update to Magento 2, or an alternative e-commerce platform, as soon as possible.

In a blog post published on June 24, Adobe said: “For those merchants who are still in the process of migrating, we encourage you to work with your solution partner, technology vendors, and our resource library to help in this process.

“If you need fast solutions to launch a Magento Commerce 2 store in as little as two weeks, please contact your Magento customer success manager.”

“It is likely many retailers have placed migrating platform to the bottom of their agendas, despite many payment processers issuing warnings to their customers,” said James Allen-Lewis, development director at Sonassi, which has launched an assurance scheme aimed at Magento-powered sites.

“Losing PCI compliance or customers’ personal information is a disaster for online retailers that manage online card payments as it is highly likely they will become liable for the damages caused to their customers, as well as having to pay the costs of a PFI investigation.”


YOU MIGHT ALSO LIKE Magento gang bypasses iframe protection on hosted payment sites