Cyber Incident Victim: Citroën Automobiles S.A.

On March 7 2026, the security research firm Netcraft published details of a mass defacement campaign that had begun roughly three weeks earlier, affecting over 7,500 Magento installations and more than 15,000 hostnames worldwide. The attackers placed plaintext defacement files on the compromised servers, most of which displayed the handle ‘Typical Idiot Security’ while a smaller subset contained political messages referencing recent geopolitical conflicts. Netcraft observed that these political messages appeared only on the publication date of March 7 2026 and were absent from earlier or later defacements, indicating they were not the primary motive of the campaign. The firm noted that the majority of incidents were logged in the defacement archive Zone‑H under the account ‘Typical Idiot Security’, suggesting the threat actor was using the archive to build reputation. Among the global brands impacted were Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha.

Netcraft attributed the defacements to an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B. Around the same time, the security company Sansec disclosed a separate flaw in the Magento REST API, which they named PolyShell, that could be exploited to upload executables to any store without authentication. Sansec reported that the PolyShell vulnerability impacts all Magento Open Source and Adobe Commerce versions up to 2.4.9‑alpha2 and could be used for cross‑site scripting in versions prior to 2.3.5. The company explained that the vulnerable code has existed since the initial Magento 2 release and that Adobe addressed it in the 2.4.9 pre‑release branch as part of advisory APSB25‑94, though no isolated patch is currently available for production versions.

The campaign primarily compromised subdomains, regional storefronts, and staging environments of the affected brands, although a few production‑facing sites experienced brief defacements. For Citroën, this meant that some of its Magento‑based subdomains or regional storefronts displayed the attacker’s plaintext files, with the political messages visible only on March 7 2026 before being removed. Netcraft’s report indicated that the defacement files were detected through monitoring of public web content and that the incidents were subsequently reported to the Zone‑H archive using the ‘Typical Idiot Security’ account. In addition to commercial entities, the campaign also hit regional government services, university domains in Latin America and Qatar, various international non‑profit organizations, and several domains associated with the Trump Organization. No further details about Citroën’s specific response or remediation actions are provided in the source material.