
Magento Marketplace Breached? - JeanMarcS
https://magento.com/blog/magento-news/magento-marketplace-security-update
======
JeanMarcS
I added a question mark, because it's not clear from their statement if there
is actually a breach.

But I also received this mail from Adobe / Magento :

Dear Magento Marketplace Account Holder,

We are writing to let you know about an issue that we recently identified, and
quickly fixed, that impacted some of your Magento Marketplace account
information. On November 21, 2019, our security team discovered a
vulnerability that resulted in an _unauthorized third-party accessing account
information_ related to Magento Marketplace account holders.

Upon discovery, we immediately launched an investigation, shut down the
service and addressed the issue. No passwords or financial data (including
payment card information) were impacted. None of the Magento core products or
services were affected by this issue.

The Magento Marketplace account information accessed was the information
associated with your Magento Marketplace user account, including name, email,
MageID, billing and shipping address information, billing and shipping phone
number, and limited commercial information (percentages for payments to
developers).

We take these issues seriously and are committed to helping ensure our
platforms are secure. We are reviewing our processes to help prevent these
types of events from occurring in the future.

We regret that this issue occurred and apologize for any inconvenience this
may have caused. As noted above, the issue has been fixed. However, as always,
we recommend following security best practices. Please follow this link to the
Magento Security Center for more information.

If you have any questions about this issue, please reach out through the
Magento Marketplace Help Center.

Thank you, Magento Marketplace Customer Support

~~~
sleighboy
That email is so vague that it makes me think the situation is far worse and
they're just feeding a "nothing to see here" story just before a holiday
weekend in the US. A compromised marketplace would be a great means of
sprinkling nefarious code into packages during deployment. I hope my
suspicious are proven to not be the case, but only because of all the people
locked into Magento relying on some dev shop to keep their business going.

