Cyber Incident Victim: Volusion
Date:
Oct 2019
Location:
United States of America
Summary
Hackers compromised a cloud-hosted e-commerce platform provider by infiltrating its Google Cloud infrastructure, injecting malicious JavaScript code into a critical file to steal payment card details entered by customers across thousands of online stores. The attack, identified as a Magecart-style web skimming operation, impacted potentially up to 20,000 client sites, with one prominent victim temporarily shutting down its storefront. Security researchers confirmed the ongoing exfiltration of sensitive data via a malicious script hosted on the provider's servers, noting similarities to prior cloud-based breaches targeting misconfigured accounts, though this marked the first major incident traced to Google Cloud. The company remained unresponsive to multiple attempts for clarification during the active breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 7, 2019, hackers breached the infrastructure of Volusion, a cloud-hosted e-commerce platform serving over 20,000 online stores. The attackers compromised Volusion's Google Cloud environment, modifying a critical JavaScript file (resources.js) hosted on Google Cloud Storage at https://storage.googleapis.com/volusionapi/resources.js. This malicious code was delivered to Volusion's client stores through the /a/j/vnav.js file, enabling the systematic collection of payment card details entered by customers during checkout processes. Security researchers from Check Point, Trend Micro, and RiskIQ confirmed the attack as an active Magecart operation—a form of web-based card skimming where attackers harvest payment data directly from online forms. At the time of reporting on October 8, the malicious script remained active across Volusion's network, with confirmed compromises affecting at least 6,500 stores and potential impact reaching Volusion's entire customer base.
The breach represented the first documented Magecart attack targeting Google Cloud infrastructure, following a summer 2019 trend of cloud-based compromises primarily involving misconfigured AWS accounts. Attackers exploited Volusion's cloud environment similarly to May 2019 incidents where seven service providers (including Alpaca Forms and Picreel) suffered breaches due to cloud misconfigurations. Volusion did not respond to multiple contact attempts by journalists or cybersecurity firms during the initial disclosure period. The Sesame Street Live online store, among the highest-profile affected sites, was taken offline after media inquiries. RiskIQ's contemporaneous research indicated Magecart skimming operations had recently peaked, with over 18,000 websites compromised in preceding months. The incident remained unresolved at publication time, with malicious code still propagating to customer sites and no public acknowledgment from Volusion regarding containment measures or remediation timelines.