Latest information released by the threat intelligence firm ‘Gemini Advisory’ suggests that the sensitive data stolen from Volusion’s servers back in November 2016 has found its way to the dark web.

Volusion is a SMB-focused e-commerce software company providing marketing and web design services. It has served more than 180,000 customers since it was established back in 1999.

In October 2019, it was discovered that hackers had successfully compromised the web frame of Volusion and injected an exploit in their servers. This attack was silent as even experts were unable to track the root exploit at that time. Data skimmers were used to steal credit card information from the databases of websites affiliated with Volusion.

At first, only 6500 stores were thought to be infected. However, these reports were debunked after analysts discovered that more than 239,000 cards are being sold on the dark web in November of 2019.

The hackers have reportedly made an estimated revenue of $1.6M from these stolen credit cards as more than 20 million records are up for sale.

Thankfully, a Check Point security researcher, Marcel Afrahim, had miraculously discovered the exploit hiding among the resources loaded for the checkout page.

He discovered that there was a rogue JavaScript file being executed. This JavaScript file had no visible application in the said website and was loaded from an outside source which was quite strange. Out of sheer curiosity, Afrahim opened the file to discover that it was indeed an exploit.

The rogue JavaScript file was named ‘volusionapi’ to disguise itself as a vital resource. It had been maliciously injected into the Google Cloud infrastructure of the company.

The exploit was capable of siphoning credit card data from Volusion straight to the hacker’s extraction point.

After the discovery was made, a cybercrime group called FIN6 came forward and claimed responsibility for the sensitive information theft.

Volusion-affiliated domains from US were massively affected. With records of more than 5,800 US based e-commerce sites stolen, 97% of the 239,000 credit card records were from users residing in the U.S.

Now the data of more than 239,000 users is up for grab for the highest bidder.