A hacker known by the alias “Satanic” has claimed responsibility for a massive data breach involving WooCommerce, one of the most widely used eCommerce platforms on the web.
The breach, which reportedly occurred on April 6, 2025, involved the theft of over 4.4 million user records, including detailed personal and business information.
According to posts made on Breach Forums earlier today, the threat actor claims the data wasn’t extracted directly from WooCommerce’s core infrastructure but rather from systems closely tied to websites using the platform, likely through third-party integrations such as CRM or marketing automation tools.
Extensive Data Exposure Targeting Major Organizations
The compromised database reportedly contains an extensive array of information, including 4,432,120 individual records, 1.3 million unique email addresses, and 998,000 phone numbers.
The data also includes metadata on corporate websites, including technology stacks and payment solutions.
A 1,000-line sample shared by the hacker reveals records from several notable organizations, including the National Institute of Standards and Technology (NIST), Texas.gov, NVIDIA Corporation, the New York City Department of Education, and Oxford University Press.
Each record contains detailed information typically found in marketing databases, such as estimated revenue, marketing platforms in use, hosting providers, and links to company social media accounts.
The sample data shows references to WordPress CMS with WooCommerce listed as the eCommerce plugin, along with integrations to various services like Salesforce, Pardot, PayPal, and Stripe.
This suggests the data likely originated from a comprehensive marketing or CRM database connected to WooCommerce implementations.
Pattern of Supply Chain Attacks by Prolific Threat Actors
This incident follows a growing pattern of similar claims by the same threat actor, who recently alleged a breach involving Magento via a third party and took credit for the Tracelo breach affecting 1.4 million users.
Just last week, Satanic also claimed to have breached Twilio’s SendGrid, though that incident was publicly denied by the company.
Active since at least September 2023, Satanic has become a prominent figure in various hacker forums and Telegram communities, managing channels dedicated to distributing stolen credentials, including stealer logs and combolists.
The actor has been linked to several high-profile breaches, including an October 2024 incident involving Hot Topic that reportedly exposed the personal data of 57 million retail customers.
The threat actor’s typical modus operandi involves exploiting third-party vendors to bypass enterprise security controls, often using infostealer malware to harvest credentials from compromised systems.
In the Hot Topic breach, researchers linked the incident to an infostealer infection affecting an employee from a third-party company, which granted access to sensitive cloud services.
Currently, the hacker is offering the WooCommerce database for sale via direct messages or Telegram without listing a fixed price, stating they are “taking offers only”.
If verified, this breach would represent one of the largest known exposures involving WordPress-based commerce platforms this year.
At the time of publishing, WooCommerce has not issued any public statement regarding the claim. Businesses relying on the platform should consider reviewing their third-party integrations and checking for unusual data access patterns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The breach, which reportedly occurred on April 6, 2025, involved the theft of over 4.4 million user records, including detailed personal and business information.){kind=link}