Technology
Hackers target online stores with new attack
NEWYou can now listen to Fox News articles!
A security researcher found a serious weakness in the software that powers thousands of e-commerce sites. The platform, called Magento, and its paid version Adobe Commerce, has a bug that lets attackers break into active shopping sessions. Some attackers can even take control of the entire store.
The flaw is known as SessionReaper. It allows hackers to pretend they are real customers without needing a password. Once they are inside, they can steal data, make fake orders, or install tools that collect credit card details.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter
Why is this attack so serious?
The problem starts in the part of the system that handles how a store communicates with other online services. Because the software does not properly check the information it receives, it sometimes trusts data that it should not. Hackers take advantage of this by sending fake session files that the store accepts as real.
Researchers at SecPod warn that successful attacks can lead to stolen customer data, fake purchases and even full control of the store’s server.
Once the attack method was shared publicly, cybercriminals began using it right away. Security experts at Sansec reported that more than 250 online stores were compromised within a single day. This shows how quickly attacks can spread once a vulnerability becomes public.
Hackers are exploiting a new flaw called SessionReaper to hijack active shopping sessions on thousands of e-commerce sites running Adobe Commerce and Magento. (Kurt Knutsson)
Why are many stores still unprotected?
Adobe released a security update on Sept. 9 to fix the issue. Weeks later, about 62% of affected stores still have not installed it. Some store owners are afraid an update might break features on their site. Others simply do not know how serious the risk is.
Every unpatched store remains an open door for attackers who want to steal information or install malicious code.
MAJOR COMPANIES, INCLUDING GOOGLE AND DIOR, HIT BY MASSIVE SALESFORCE DATA BREACH
How can you stay safe when shopping online?
While store owners are responsible for fixing the problem, you can still take smart steps to protect yourself when shopping online. These actions can help you spot danger early and keep your personal information safe.
1) Look for warning signs
Always pay attention to how a website behaves. If a page looks odd, loads slowly or shows error messages, it could mean something is wrong behind the scenes. Check for the small padlock symbol in the address bar that shows the site uses HTTPS encryption. If it is missing or the site redirects you to an unfamiliar page, stop and close the browser tab immediately. Trust your instincts if something feels off.
2) Be careful with email links and use a data removal service
Cybercriminals often use fake promotional emails or ads that look like real store offers. Instead of clicking links in messages or banners, type the store’s web address directly into your browser to avoid phishing pages designed to steal your login details or card information. Since attacks like SessionReaper can expose your personal data to criminal marketplaces, consider using a reputable data removal service that continuously scans and deletes your private information, such as your address, phone number and email, from data broker sites. This reduces your risk of identity theft if your information has been leaked through a compromised online store.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com
Cybersecurity teams at SecPod and Sansec tracked more than 250 stores breached within 24 hours of the exploit going public, showing how fast these attacks spread. (Kurt “CyberGuy” Knutsson)
3) Use strong antivirus software
Strong antivirus protection is your silent guard online. Choose reputable software that offers real-time protection, safe browsing alerts and automatic updates. A strong antivirus program can detect malicious code that tries to run on your device, block unsafe sites and alert you to potential threats. This adds another crucial layer of defense when visiting online stores that may not be fully secure.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com
4) Use safe payment options
Whenever possible, choose payment services that add an extra layer of protection between your bank account and the online store. Platforms like PayPal, Apple Pay or Google Pay do not share your card number with the retailer. This reduces the chance of your information being stolen if the store is compromised. These payment gateways also offer dispute protection if a purchase turns out to be fraudulent.
5) Shop with trusted retailers
Stick to stores with a solid reputation. Well-known brands usually have better security and faster response times when issues arise. Before buying from a new website, check its reviews on trusted consumer sites. Look for signs of credibility such as clear contact information, a professional design and verified payment options. A few minutes of research can save you from weeks of frustration.
TRANSUNION BECOMES LATEST VICTIM IN MAJOR WAVE OF SALESFORCE-LINKED CYBERATTACKS, 4.4M AMERICANS AFFECTED
6) Keep your devices updated
Updates may seem annoying, but they are one of the most effective ways to protect your data. Make sure your computer, smartphone and web browser all have the latest security patches installed. Updates often fix the exact kinds of flaws hackers use to spread attacks like SessionReaper. Enable automatic updates if you can, so your devices stay protected without extra effort.
7) Use unique, strong passwords
If you create accounts on shopping sites, make sure each one has its own strong password. Avoid using the same password across multiple platforms. Consider using a password manager to generate and store long, random passwords. That way, if one account is compromised, your other logins stay safe.
Next, see if your email has been exposed in past breaches. Our No. 1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at Cyberguy.com
8) Turn on two-factor authentication
If a site or payment service offers two-factor authentication, enable it. This adds a second security step, such as a code sent to your phone or generated by an app. Even if hackers steal your password, they will not be able to access your account without that second verification.
Even weeks after Adobe issued a critical patch for the SessionReaper vulnerability, nearly two-thirds of affected online stores remain unprotected, leaving customer data and payment information at high risk of theft. (CyberGuy.com)
9) Avoid public Wi-Fi for purchases
FARMERS INSURANCE DATA BREACH EXPOSES 1.1M AMERICANS
Public Wi-Fi networks in places like cafés, airports and hotels are often unsecured. Avoid entering payment information or logging in to accounts while connected to public networks. If you must make a purchase while away from home, use a mobile data connection or a reliable VPN to encrypt your activity.
10) Monitor your bank and credit statements
Check your financial statements regularly for any unusual activity. Small, unauthorized charges can be early signs of fraud. Report any suspicious transactions to your bank or credit card company right away so they can freeze your account or issue a new card.
11) Report suspicious activity
If you notice anything strange during or after an online purchase, act quickly. Contact the store’s customer service to report what you saw. You should also inform your payment provider or credit card company so they can block unauthorized transactions. Reporting early can help stop further damage and alert other shoppers to potential risks.
Kurt’s key takeaways
The SessionReaper attack shows how fast online threats can appear and how long they can linger when updates are ignored. Even well-known stores can become unsafe overnight. For retailers, installing patches quickly is critical. For shoppers, staying alert and choosing secure payment methods are the best ways to stay protected.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Would you still shop online if you knew hackers could be hiding behind a store’s checkout page? Let us know by writing to us at Cyberguy.com
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter
Copyright 2025 CyberGuy.com. All rights reserved.
Android 17 is getting a dedicated gaming mode for foldables that will put a virtual gamepad with touch controls on half of your screen to theoretically make it easier to play games.
With foldable gaming mode, which is set to launch in the coming months, the virtual controller emulates physical button presses at a system level and is designed to work “with any game that supports physical controllers,” says Google’s Mishaal Rahman on Reddit. For the actual inputs, the virtual controller will have a D-pad; left and right virtual sticks; A, B, X, and Y buttons; L1, L2, L3; R1, R2, and R3; and a start button. And you’ll be able to configure the gamepad in several ways, such as keeping the virtual joysticks inline or staggered from each other, scaling the size of the buttons, and toggling haptics on or off.
Turning on the mode “is as simple as unfolding your device, either before or after launching a compatible game,” Rahman says. You can also choose to hide the gamepad, and if you connect a physical controller, the virtual gamepad will turn off on its own.
“Android allows you to play a wide variety of games on the go,” says Rahman. “While touch controls work incredibly well for many titles, certain games are better enjoyed with physical gamepads. The problem is that carrying a Bluetooth controller or a snap-on gamepad with you everywhere isn’t always convenient. We want to bridge that gap, and we’re addressing it with a new feature in the Android 17 platform release that’s specifically tailored for foldable devices.”
NEWYou can now listen to Fox News articles!
A letter arrives about a debt you don’t remember, from a company you’ve never dealt with, for an account you never opened. For a growing number of people, that notice is how they first learn someone used their identity.
Complaints to the Consumer Financial Protection Bureau (CFPB) about attempts to collect a debt not owed rose about 115% above their prior two-year average in 2025, and many of those consumers reported balances they didn’t recognize and suspected identity theft.
Before you panic or pay, it helps to understand why these letters show up and what rights you have.
WHY LAST YEAR’S BREACH IS THIS YEAR’S IDENTITY FRAUD
A collection letter for a debt you do not recognize can be the first sign that someone used your identity. (John Carl D’Annibale /Albany Times Union via Getty Images)
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Why debt collectors contact you about a debt you do not owe
When a charged-off account is sold to a collection agency, the agency receives the original creditor’s application file, including whatever identifiers were used to open it. That contact information is often 90 to 180 days out of date by the time the account changes hands.
HOW SCAMMERS BUILD A PROFILE ON YOU USING DATA BROKERS
Before the first call, the agency runs skip tracing: matching a name, Social Security number (SSN) and past addresses against public records, postal change-of-address data, property and utility records and data-broker files to find the current person behind the account. At bulk volume, each lookup costs the agency pennies.
The agency then contacts you directly, by phone or mail, whether or not you have looked at your credit file.
How fake debt can start with identity theft
The account behind the notice may have been opened with your information pulled from breaches and resold, then approved by an automated check that matched the data to an existing file without confirming that the applicant was you. Opening a new account is the leading form of attempted identity misuse reported to the Identity Theft Resource Center (ITRC), which counted it more often than takeovers of accounts people already held. What happens after is less understood.
10 SIGNS YOUR PERSONAL DATA IS BEING SOLD ONLINE
Charged-off debts, including fraudulent ones, are sold in bulk portfolios for pennies on the dollar, often with thin supporting paperwork. One fraudulent balance can be sold and resold across several agencies. A debt you dispute and clear with one collector can be repackaged and reappear with another months later.
With medical debt, a bill can sometimes move toward collections before you see every explanation of benefits, insurance update or corrected statement. That is why you should contact the provider and your insurer before paying a collector.
What debt collectors legally have to tell you
Federal law gives you a defined response, and the clock starts at first contact. Under the CFPB’s Regulation F, a collector must send a validation notice describing the debt and your rights in, or within five days of, its first communication with you.
5 MYTHS ABOUT IDENTITY THEFT THAT PUT YOUR DATA AT RISK
You have 30 days from receiving that notice to dispute the debt in writing under the Fair Debt Collection Practices Act (FDCPA). Dispute inside that window, and the collector must stop collecting until it verifies the debt.
One important note: the FDCPA generally covers third-party debt collectors, not every original creditor. However, credit reporting laws, identity theft protections and state laws may still give you rights.
If the debt came from identity theft, send the collector an FTC Identity Theft Report from IdentityTheft.gov. Also, tell the collector in writing that you dispute the debt, that it resulted from identity theft and that you want it to stop reporting the account to the credit bureaus.
IS YOUR SOCIAL SECURITY NUMBER AT RISK? SIGNS SOMEONE MIGHT BE STEALING IT
Ask Equifax, Experian and TransUnion for a block under Section 605B of the Fair Credit Reporting Act (FCRA).
With a valid identity theft report and proof of your identity, the bureaus must block the fraudulent item within four business days. A block is harder to reverse than an ordinary dispute, which counts when the same debt can be resold.
The CFPB has said it may expand the meaning of identity theft under Regulation V to cover “coerced debt,” money run up in someone’s name without their consent, including in domestic and elder abuse cases.
What to do before you pay a debt collector
Before you send money or confirm any personal details, slow down and make the collector prove the debt belongs to you.
1) Ask for proof in writing
Do not pay, promise to pay or give out more personal information during the first call. Ask for the validation notice in writing and save every letter, voicemail and call log. Then send a written dispute within 30 days.
Fake debts can start with stolen personal information and then move from one collection agency to another. (PixelsEffect/Getty Images)
2) File an identity theft report if the debt looks fake
If you believe identity theft caused the account, create an FTC Identity Theft Report at IdentityTheft.gov. Send copies to the collector, the original creditor and all three credit bureaus. Also, place a fraud alert or credit freeze with Equifax, Experian and TransUnion, so it becomes harder for someone to open another account in your name.
3) Check medical bills before paying a collector
With medical debt, contact the provider and your insurer before paying a collector. Ask for an itemized bill and an explanation of benefits. A medical bill can end up in collections while paperwork, insurance reviews or billing disputes are still catching up.
4) Respond quickly if a collector sues you
If a collector sues you, do not ignore the papers. Respond by the court deadline or contact a consumer law attorney or legal aid group. Even a debt you do not owe can create bigger problems if you miss a court deadline.
Why early fraud alerts can save you money
Once a fraudulent account charges off and sells, cleanup gets harder. You may need to dispute the debt with the collector, the original lender and all three credit bureaus. If someone resells the debt, the same problem can come back months later.
YOU HAVE A CREDIT FREEZE. IT STILL ISN’T ENOUGH
Credit monitoring can help you spot a new account or hard inquiry before the debt reaches collections. That gives you time to contact the lender, dispute the account and freeze your credit sooner.
No service can prevent every account opened in your name. However, three-bureau credit monitoring can alert you when lenders report new accounts or hard inquiries. That can help you act before a collections notice arrives or a lender denies you credit.
See my tips and best picks on Best Identity Theft Protection at CyberGuy.com.
Kurt’s key takeaways
A collection letter for an unfamiliar debt deserves a closer look. It may mean someone opened an account in your name. Do not pay just to stop the calls. Ask for written validation and dispute the debt fast. If someone misused your information, file an FTC Identity Theft Report. Then freeze your credit and check all three credit reports. Early alerts can help you catch fraud before collections begin. That can save you money, time and stress.
Have you ever gotten a collection letter or call for a debt you knew you did not owe, and what did you do first? Let us know by writing to us at CyberGuy.com.
Before paying a collector, ask for written proof, dispute the debt and file an FTC Identity Theft Report if fraud is involved. (Daniel de la Hoz/Getty Images)
Sign up for my FREE CyberGuy Report
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
RAMageddon has come for computers. The price of memory chips, hard drives, and solid state storage has skyrocketed. That’s led to price increases on desktop and laptop RAM, SSDs, spinning hard drives, and pretty much everything that uses any of those things. Consoles are more expensive. Desktops are more expensive. Laptops are more expensive. Tablets and phones are more expensive. Even MacBooks, which started out expensive but then started looking like a pretty good deal, just got more expensive.
All that sucks. But if (if) there’s a silver lining, it’s that most of the stuff you plug into a computer — keyboards, mice, webcams, monitors, and so forth — isn’t getting bananas expensive. Actually, there are some good deals out there.
Great keyboards on the cheap
Hot deals on mice in your area
Monitors to watch (get it?)
Cases and stands, hubs and docks, and other stuff
-
Arizona7 minutes agoArizona Lottery Pick 3 Evening, Fantasy 5 results for June 25, 2026
-
Arkansas9 minutes agoDeGray Lake Resort State Park offers a week’s worth of summer fun in Arkansas
-
California15 minutes agoThis 1947 adobe home has found a new life as a ‘modern California hacienda’
-
Colorado22 minutes agoColorado Springs police searching for missing 11-year-old
-
Connecticut25 minutes agoOpinion: More to do on gun violence prevention in CT
-
Delaware30 minutes agoAfter changing Delaware’s library system forever, she’s stepping away
-
Florida37 minutes agoFlorida tattoo shop refuses service to military and veterans for being ‘war criminals’
-
Georgia40 minutes agoWhat would it take for Missouri football to stun Georgia in 2026?
