Cyber Incident Victim: Lindt
Date:
Mar 2026
Location:
Switzerland
Summary
Over 7,500 Magento sites have been hit in a mass defacement campaign where threat actors placed plaintext defacement files on affected infrastructure, including subdomains, regional storefronts and staging environments of global brands such as Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota and Yamaha, with some production-facing sites briefly defaced. The attackers likely exploited an unauthenticated file upload vulnerability (PolyShell) affecting Magento Open Source, Adobe Commerce and Magento B2B deployments, and many incidents were logged to the Zone-H defacement archive under the handle “Typical Idiot Security”.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass defacementcampaign began roughly three weeks before March 7 2026, when Netcraft observed that over 7,500 Magento sites had been compromised, affecting more than 15,000 hostnames worldwide. Among the global brands listed as impacted were the chocolate manufacturer Lindt, alongside companies such as Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Toyota, and Yamaha. The attackers primarily targeted subdomains, regional storefronts, and staging environments, although a small number of production‑facing sites also experienced brief defacements. In addition to commercial entities, the campaign reached regional government services, university domains in Latin America and Qatar, international non‑profit organizations, and several domains associated with the Trump Organization.
The defacement consisted of plaintext files uploaded to the compromised servers. Most of these files displayed the attacker’s handle “Typical Idiot Security.” On March 7 2026, a subset of the files also contained political messages referencing recent geopolitical conflicts, but those messages appeared for only that single day and were absent from earlier or later defacements. Netcraft noted that the political content was not the primary motivation of the campaign. The majority of incidents were recorded in the Zone‑H defacement archive under the account “Typical Idiot Security,” indicating the threat actor’s attempt to build a consistent reputation through attribution.
Netcraft attributed the successful compromises to an unauthenticated file upload vulnerability affecting Magento Open Source, Magento Enterprise/Adobe Commerce, and Adobe Commerce deployments with Magento B2B. Sansec later disclosed the specific flaw, naming it PolyShell, and reported that it resides in the REST API of Magento and Adobe Commerce versions up to 2.4.9‑alpha2, allowing unauthenticated executable uploads and cross‑site scripting in versions prior to 2.3.5. The vulnerable code had existed since the initial Magento 2 release; Adobe addressed it in the 2.4.9 pre‑release branch as part of advisory APSB25‑94, though no isolated patch was available for current production versions at the time of reporting. Sansec had not observed active exploitation of PolyShell in the wild, but noted that the exploit code was circulating and anticipated to lead to automated attacks. Lindt’s affected sites experienced the brief defacements characteristic of production‑facing properties during the campaign, consistent with the pattern observed across other victims.