A security researcher found a serious weakness in the software that powers thousands of e-commerce sites. The platform, called Magento, and its paid version Adobe Commerce, has a bug that lets attackers break into active shopping sessions. Some attackers can even take control of the entire store.

The flaw is known as SessionReaper. It allows hackers to pretend they are real customers without needing a password. Once they are inside, they can steal data, make fake orders, or install tools that collect credit card details.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter 

Why is this attack so serious?

The problem starts in the part of the system that handles how a store communicates with other online services. Because the software does not properly check the information it receives, it sometimes trusts data that it should not. Hackers take advantage of this by sending fake session files that the store accepts as real.

Researchers at SecPod warn that successful attacks can lead to stolen customer data, fake purchases and even full control of the store’s server.

Once the attack method was shared publicly, cybercriminals began using it right away. Security experts at Sansec reported that more than 250 online stores were compromised within a single day. This shows how quickly attacks can spread once a vulnerability becomes public.

Why are many stores still unprotected?

Adobe released a security update on Sept. 9 to fix the issue. Weeks later, about 62% of affected stores still have not installed it. Some store owners are afraid an update might break features on their site. Others simply do not know how serious the risk is.

Every unpatched store remains an open door for attackers who want to steal information or install malicious code.

MAJOR COMPANIES, INCLUDING GOOGLE AND DIOR, HIT BY MASSIVE SALESFORCE DATA BREACH

How can you stay safe when shopping online?

While store owners are responsible for fixing the problem, you can still take smart steps to protect yourself when shopping online. These actions can help you spot danger early and keep your personal information safe.

1) Look for warning signs

Always pay attention to how a website behaves. If a page looks odd, loads slowly or shows error messages, it could mean something is wrong behind the scenes. Check for the small padlock symbol in the address bar that shows the site uses HTTPS encryption. If it is missing or the site redirects you to an unfamiliar page, stop and close the browser tab immediately. Trust your instincts if something feels off.

2) Be careful with email links and use a data removal service 

Cybercriminals often use fake promotional emails or ads that look like real store offers. Instead of clicking links in messages or banners, type the store’s web address directly into your browser to avoid phishing pages designed to steal your login details or card information. Since attacks like SessionReaper can expose your personal data to criminal marketplaces, consider using a reputable data removal service that continuously scans and deletes your private information, such as your address, phone number and email, from data broker sites. This reduces your risk of identity theft if your information has been leaked through a compromised online store.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com

Cybersecurity teams at SecPod and Sansec tracked more than 250 stores breached within 24 hours of the exploit going public, showing how fast these attacks spread. (Kurt “CyberGuy” Knutsson)

3) Use strong antivirus software

Strong antivirus protection is your silent guard online. Choose reputable software that offers real-time protection, safe browsing alerts and automatic updates. A strong antivirus program can detect malicious code that tries to run on your device, block unsafe sites and alert you to potential threats. This adds another crucial layer of defense when visiting online stores that may not be fully secure.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com 

4) Use safe payment options

Whenever possible, choose payment services that add an extra layer of protection between your bank account and the online store. Platforms like PayPal, Apple Pay or Google Pay do not share your card number with the retailer. This reduces the chance of your information being stolen if the store is compromised. These payment gateways also offer dispute protection if a purchase turns out to be fraudulent.

5) Shop with trusted retailers

Stick to stores with a solid reputation. Well-known brands usually have better security and faster response times when issues arise. Before buying from a new website, check its reviews on trusted consumer sites. Look for signs of credibility such as clear contact information, a professional design and verified payment options. A few minutes of research can save you from weeks of frustration.

TRANSUNION BECOMES LATEST VICTIM IN MAJOR WAVE OF SALESFORCE-LINKED CYBERATTACKS, 4.4M AMERICANS AFFECTED

6) Keep your devices updated

Updates may seem annoying, but they are one of the most effective ways to protect your data. Make sure your computer, smartphone and web browser all have the latest security patches installed. Updates often fix the exact kinds of flaws hackers use to spread attacks like SessionReaper. Enable automatic updates if you can, so your devices stay protected without extra effort.

7) Use unique, strong passwords

If you create accounts on shopping sites, make sure each one has its own strong password. Avoid using the same password across multiple platforms. Consider using a password manager to generate and store long, random passwords. That way, if one account is compromised, your other logins stay safe.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials. 

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com

8) Turn on two-factor authentication

If a site or payment service offers two-factor authentication, enable it. This adds a second security step, such as a code sent to your phone or generated by an app. Even if hackers steal your password, they will not be able to access your account without that second verification.

Even weeks after Adobe issued a critical patch for the SessionReaper vulnerability, nearly two-thirds of affected online stores remain unprotected, leaving customer data and payment information at high risk of theft. (CyberGuy.com)

9) Avoid public Wi-Fi for purchases

FARMERS INSURANCE DATA BREACH EXPOSES 1.1M AMERICANS

Public Wi-Fi networks in places like cafés, airports and hotels are often unsecured. Avoid entering payment information or logging in to accounts while connected to public networks. If you must make a purchase while away from home, use a mobile data connection or a reliable VPN to encrypt your activity. 

10) Monitor your bank and credit statements

Check your financial statements regularly for any unusual activity. Small, unauthorized charges can be early signs of fraud. Report any suspicious transactions to your bank or credit card company right away so they can freeze your account or issue a new card.

11) Report suspicious activity

If you notice anything strange during or after an online purchase, act quickly. Contact the store’s customer service to report what you saw. You should also inform your payment provider or credit card company so they can block unauthorized transactions. Reporting early can help stop further damage and alert other shoppers to potential risks.

Kurt’s key takeaways

The SessionReaper attack shows how fast online threats can appear and how long they can linger when updates are ignored. Even well-known stores can become unsafe overnight. For retailers, installing patches quickly is critical. For shoppers, staying alert and choosing secure payment methods are the best ways to stay protected.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Would you still shop online if you knew hackers could be hiding behind a store’s checkout page? Let us know by writing to us at Cyberguy.com

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter 

Copyright 2025 CyberGuy.com. All rights reserved.  

There are plenty of good smartwatches out there, and Google’s last-gen Pixel Watch 3 is one of them. Right now, the 45mm / Wi-Fi model is available at Amazon, Walmart, and Target for $199.99 ($100 off), which is a new low price and $150 less than the Pixel Watch 4. In her review, our own Victoria Song noted how impressed she was by the larger size’s lengthy battery life, as well as how versatile a companion it was to Android phones, particularly Pixel devices. For example, you can use the watch as a remote for your Google TV, download offline Google Maps navigation routes, and create voice recordings that automatically sync and are transcribed on a Pixel phone.

The Pixel Watch 3 recently received an overhaul, too, as Google rolled out an update to Wear OS 6, which introduced a refreshed design and Gemini AI to the watch (our initial tests show that it still has a long way to go before becoming vital). On the fitness and wellness side, the Pixel Watch 3 can track your activity, sleep, blood oxygen level, and heart rate. You can also use it to take an EKG from your wrist, if you feel the need.

If you need to charge more than one device at a time, Anker’s 2-in-1 USB-C cable will let you do that. It’s a practical, inexpensive gadget we think you’ll enjoy, and it’s nearly matching its best-ever price at $16.99 ($9 off) at Amazon (with Prime) and Anker’s online storefront (with code WSPDV22SVFBJ). One end of the cable plugs into the power adapter, while the other splits into two USB-C cables that can be plugged into different devices.

You can use any USB-C power adapter with this cable, but you’ll take full advantage of its peak power throughput with a 140W adapter — such as Apple’s 140W USB-C Power Adapter, which is also on sale for $74.99 ($25 off) at Amazon. The cable will automatically allocate how much power to send to both devices, but if you plug in two laptops, the first one that’s plugged in gets priority.

Microsoft’s official Xbox Wireless Controller has held the top spot in our guide to the best Xbox controllers for years, and now the black and white versions are selling for a new low of $39.99 ($25 off) at Amazon, Best Buy, and Target. The wireless gamepad is comfortable to hold, and its buttons, triggers, joysticks, and D-pad feel satisfying to use. I’ve used the one that came with my Xbox Series X for nearly five years, and it still feels new, with no dropped inputs or other signs of wear.

It runs on a pair of AA batteries, which you can easily swap out. You can also purchase a rechargeable battery pack for the controller if you prefer, but be mindful that it’ll lose its charging capacity over time. Xbox’s wireless controller costs as much on sale as many of our wired recommendations, and its wire-free design means you won’t feel tied down when you use it.

A few more deal standouts

The dark web often feels like a mystery, hidden beneath the surface of the internet that most people use every day. But to understand how scams and cybercrimes actually work, you need to know what happens in those hidden corners where criminals trade data, services and stolen access. 

Cybercriminals rely on a structured underground economy, complete with marketplaces, rules and even dispute systems to operate safely away from law enforcement. By learning how these systems function, you can better understand the threats that could reach you and avoid becoming the next target.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

5 SOCIAL MEDIA SAFETY TIPS TO PROTECT YOUR PRIVACY ONLINE

Inside the hidden layers of the internet

The internet is often divided into three layers: the clear web, the deep web and the dark web. The clear web is the open part of the internet that search engines like Google or Bing can index, including news sites, blogs, stores and public pages. Beneath it lies the deep web, which includes pages not meant for public indexing, such as corporate intranets, private databases and webmail portals. Most of the content in the deep web is legal but simply restricted to specific users.

The dark web, however, is where anonymity and illegality intersect. It requires special software such as Tor to access, and much of its activity happens behind encryption and invitation-only walls. Tor, short for The Onion Router, was originally developed by the U.S. Navy for secure communication but has since become a haven for both privacy advocates and criminals.

It anonymizes users by routing traffic through multiple encrypted layers, making it almost impossible to trace where a request truly came from. This anonymity allows criminals to communicate, sell data and conduct illegal trade with reduced risk of exposure.

Over time, the dark web has become a hub for criminal commerce. Marketplaces once operated like eBay for illegal goods, offering everything from drugs and stolen credit card data to hacking tools and fake identities. Many of these platforms have been shut down, but the trade continues on smaller, more private channels, including encrypted messaging apps such as Telegram. Vendors use aliases, ratings and escrow systems to build credibility.

Ironically, even among criminals, trust is a critical part of business. Forums often have administrators, verified sellers and mediators to settle disputes. Members who cheat others or fail to deliver are quickly blacklisted, and reputation becomes the main currency that determines who can be trusted.

The criminal economy and how scams are born

Every major cyberattack or data leak often traces back to the dark web’s underground economy. A single attack typically involves several layers of specialists. It begins with information stealers, malware designed to capture credentials, cookies and device fingerprints from infected machines. The stolen data is then bundled and sold in dark web markets by data suppliers. Each bundle, known as a log, might contain login credentials, browser sessions and even authentication tokens, often selling for less than $20.

Another group of criminals, known as initial access brokers, purchases these logs to gain entry into corporate systems. With that access, they can impersonate legitimate users and bypass security measures such as multi-factor authentication by mimicking the victim’s usual device or browser. Once inside, these brokers sometimes auction their access to larger criminal gangs or ransomware operators who are capable of exploiting it further.

Some of these auctions are run as competitions, while others are flash sales where well-funded groups can buy access immediately without bidding. Eventually, this chain of transactions ends with a ransomware attack or an extortion demand, as attackers encrypt sensitive data or threaten to leak it publicly.

Interestingly, even within these illegal spaces, scams are common. New vendors often post fake listings for stolen data or hacking tools, collect payments and disappear. Others impersonate trusted members or set up counterfeit escrow services to lure buyers.

Despite all the encryption and reputation systems, no one is truly safe from fraud, not even the criminals themselves. This constant cycle of deception forces dark web communities to build internal rules, verification processes and penalties to keep their operations somewhat functional.

What you can do to stay ahead of dark web-driven threats

For ordinary people and businesses, understanding how these networks operate is key to preventing their effects. Many scams that appear in your inbox or on social media originate from credentials or data first stolen and sold on the dark web. That is why basic digital hygiene goes a long way. Below are some steps you can take to stay protected.

MAJOR COMPANIES, INCLUDING GOOGLE AND DIOR, HIT BY MASSIVE SALESFORCE DATA BREACH

From password managers to antivirus software, experts share practical ways to keep hackers out of your data. (Annette Riedl/picture alliance via Getty Images)

1) Invest in personal data removal services

A growing number of companies specialize in removing your personal data from online databases and people search sites. These platforms often collect and publish names, addresses, phone numbers and even family details without consent, creating easy targets for scammers and identity thieves.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

2) Use unique passwords and a password manager

One of the easiest ways to stay safe online is to use unique, complex passwords for every account you own. Many breaches happen because people reuse the same password across multiple services. When one site is hacked, cybercriminals take those leaked credentials and try them elsewhere, a technique known as credential stuffing. A password manager eliminates this problem by generating strong, random passwords and securely storing them for you.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

3) Install strong antivirus protection

Antivirus software remains one of the most effective ways to detect and block malicious programs before they can steal your information. Modern antivirus solutions do far more than just scan for viruses. They monitor system behavior, detect phishing attempts and prevent infostealer malware from sending your credentials or personal data to attackers.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

4) Keep your software updated

Outdated software is one of the biggest entry points for attackers. Cybercriminals often exploit known vulnerabilities in operating systems, browsers and plugins to deliver malware or gain access to systems. Installing updates as soon as they are available is one of the simplest yet most effective forms of defense. Enable automatic updates for your operating system, browsers and critical applications.

5) Enable two-factor authentication

Even if your password gets leaked or stolen, two-factor authentication (2FA) adds an additional barrier for attackers. With 2FA, logging in requires both your password and a secondary verification method. This includes code from an authentication app or a hardware security key.

6) Consider identity theft protection services

Identity theft protection can provide early warnings if your personal information appears in data breaches or on dark web marketplaces. These services monitor your sensitive data, such as Social Security numbers, bank details or email addresses. If anything suspicious is detected, they alert you. Many providers also offer recovery assistance, helping you restore stolen identities or close fraudulent accounts. While no service can prevent identity theft entirely, these tools can shorten your response time and limit potential damage if your data is compromised.

See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com.

SCAMMERS NOW IMPERSONATE COWORKERS, STEAL EMAIL THREADS IN CONVINCING PHISHING ATTACKS

Protecting your identity starts with strong passwords, two-factor authentication and regular software updates. (Jens Kalaene/picture alliance via Getty Images)

Kurt’s key takeaway

The dark web thrives on the idea that anonymity equals safety. But while criminals may feel protected, law enforcement and security researchers continue to monitor and infiltrate these spaces. Over the years, many large marketplaces have been dismantled, and hundreds of operators have been caught despite their layers of encryption. The takeaway for everyone else is that the more you understand how these underground systems function, the better prepared you are to recognize warning signs and protect yourself.

Do you think law enforcement can ever truly catch up with dark web criminals? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

Copyright 2025 CyberGuy.com.  All rights reserved.