Back to blog

JavaScript Malware Steals Card Details From Up To 300 New Websites

Data privacy & security News & releases

Written by

Published September 17, 2018 · Updated October 25, 2018

JavaScript Malware Steals Card Details From Up To 300 New Websites

After the theft of financial data of British Airways and Ticketmaster clients earlier this year, Feedify is another service to fall prey to JavaScript malware.

According to security experts, one of the company’s JavaScript files was infected with malicious code stealing users’ payment card details.

Who has been affected by the breach?

Feedify is a provider of push notification services for online websites with

over 4,000 customers around the world.

However, investigation by revealed that the malicious library has been embedded on approximately 300 websites, syphoning off visitors’ transactional data.

The actual number of affected individuals is unknown as the attacks may still be under way.

Reports from the infosec experts indicate that despite Feedify’s attempts to remove the code from their library, Magecart – the group responsible for the attack – has managed to re-add it at least two times.

It’s not known how Magecart accessed the Feedify servers. The company itself still hasn’t commented on the issue.

What is Magecart?

Magecart is a hacker operation specialising in skimming credit card details from unsecured payment gateways on websites.

It seems that recently the group has switched their strategy from hacking into the online shops to attacking popular third-party scripts. This means they’re now able to hit multiple targets simultaneously.

Earlier this week it became known that Magecart is responsible for the damaging attack on the website and mobile application of British Airways,

compromising the financial data of 380,000 people.

The same script has been used on Ticketmaster website, compromising payment card data of

nearly 40,000 individuals.

The list of Magecart victims goes on and includes companies such as

  • PushAssist
  • CMS Clarity Connect
  • Annex Cloud

and likely many others.

Is adding third-party elements worth the risk?

Websites now have dozens if not hundreds of third-party elements embedded in their code.

The Magecart hacks show the real danger of this, especially for the websites processing sensitive data like payment card details.

Since these components are hosted on external servers, you have no control over them, and limited possibilities to detect potential breaches resulting from the malicious code modifications.

If you decide to work with SaaS vendors using third-party scripts, your website’s security becomes as strong as the weakest link in your vendors’ ecosystem. (In the case of TicketMaster, the weakest link was a third-party script providing a chatbot used to communicate with clients.)

To eliminate that potential weak link, it’s better to steer away from third-party scripts and move towards products hosted on your own infrastructure or in a private cloud.

That way you remain in full control over any scripts implemented, and can apply additional security measures to prevent unauthorized access to clients’ sensitive transactional data.

There are several vendors providing such products with on-premises and private cloud options. One of them is Piwik PRO.

If you want to learn more about our offer or simply have some more questions about the recent breaches, don’t hesitate to contact us. Our team will be happy to help!



Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free