Security researcher Marcel Afrahim recently made a startling discovery while browsing Sesame Street’s online store.
Buried in the code of the site’s shopping cart was a piece of malicious software designed to pull customers’ credit card details and send them to an outside domain, a hack Afrahim describes in detail in a new Medium post.
Even more troubling? Afrahim suspects that more than 6,500 e-commerce sites have been compromised by the same hack that hit Sesame Street.
As Afrahim wrote in his post on the hack, the Sesame Street store runs on shopping cart software built by Texas developer Volusion.
Afrahim found 6,593 additional webpages that are “probably hosted by Volusion and are probably compromised.”
However, a ZDNet story notes that the number of compromised sites could be far higher, pointing out that Volusion claimed in a September press release that it has more than 20,000 customers.
For now, the Sesame Street store is not active, with visitors encountering the following message: “We are currently performing scheduled maintenance and updates on the website.”
The BBC reached out to Volusion with a request for comment on the breach, but the company did not respond, nor has it appeared to acknowledged the hack on its social media accounts or website.
But if this hack affects as many customers as suspected, Volusion won’t be able to avoid addressing it for long.
Editor’s Note, 10/10: A Volusion spokesperson sent the following statement to Futurism:
“Volusion was alerted of a data security incident and can confirm that it was resolved within a few hours of notification. We are coordinating with authorities on this matter, and continue to enhance our systems that detect and prevent unauthorized access to user accounts. A limited portion of customer information was compromised from a subset of our merchants. This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter. Volusion has taken action to help secure accounts, and we are continuing to monitor this matter in order to assure the security of our merchants.”
READ MORE: Cookie monster eats data from Sesame Street store [BBC News]
More on Sesame Street: Someone Deepfaked Keanu Reeves Into “Sesame Street”