AROUND 7,500 Magento sites have been defaced in a global hacking campaign, with attackers uploading plaintext defacement files on more than 15,000 hostnames and compromising affected infrastructure across Open Source, Enterprise, and B2B editions. Netcraft’s report notes that the activity began on 27 February 2026, and newly compromised sites continued to appear in the period covered, including a cluster of defacements on 7 March 2026.
The defacement pages typically displayed attacker handles such as L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security, often accompanied by “greetz” lists; several high-profile brands and government or academic domains were affected, mostly on subdomains, staging, or regional sites. Initial analysis suggests unauthenticated file uploads in some Magento environments may be exploited.
The campaign has been described as largely opportunistic rather than targeted, with a broad range of victims including government and non-profit entities, and several Trump Organization domains reported as defaced. According to Security Affairs, the campaign mirrors earlier activity, underscoring how widely deployed web platforms can become a vehicle for opportunistic exploitation.