WooCommerce responds to alleged data breach claim
WooCommerce has confirmed that no data breach occurred on its platform, contrary to earlier claims made by a hacker. The company states that the data in question likely originated from a third-party aggregator and was not obtained through a compromise of WooCommerce or any Automattic service.
A hacker going by the alias ‘Satanic’ recently claimed responsibility for a significant data breach affecting websites that use WooCommerce, a leading eCommerce platform. The attacker alleged that over 4.4 million customer records were compromised, including personal and corporate data such as email addresses, phone numbers, physical addresses, and social media profiles, as well as company revenues, staff sizes, and tech stacks.
The original announcement was made on Breach Forums, a known cybercrime forum, where the hacker stated that the data was available for sale via private messages or Telegram. While initial reports—including one by HackRead—linked the breach to WooCommerce-based stores, WooCommerce has since issued an official statement denying that its systems were involved in the incident.
‘We can confirm that no WooCommerce data has been involved in the breach described in these articles. Our team quickly investigated the data samples and compared them against our own records. We determined that the data was not obtained through a breach of WooCommerce.com or any other Automattic services.’ — Jay Walsh, Director of Communications, WooCommerce.
The company believes that the leaked data originated from a third-party service that aggregates publicly available information about e-commerce sites. It is unclear whether the data was accessed legally or obtained through other means.
The attacker claimed the breach was achieved by exploiting vulnerabilities in third-party systems integrated with WooCommerce-powered websites—such as CRMs or marketing platforms—rather than through WooCommerce itself. However, no technical evidence has been shared to substantiate this claim.
The incident follows previous breach claims by the same hacker involving platforms like Magento and Twilio’s SendGrid, the latter of which was also denied by the company.
WooCommerce, owned by Automattic, powers a large share of global online shops. While the platform remains secure according to its developers, the case highlights ongoing concerns about the security of third-party tools and integrations.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.