A hacker using the alias “Satanic” claims a WooCommerce data breach via a third party, selling data on over 4.4 million users/clients, including records tied to major organizations like NVIDIA, Texas.gov, and the National Institute of Standards and Technology (NIST).
Just hours after claiming responsibility for a breach involving Magento, a hacker known as “Satanic” has surfaced again, this time alleging a data breach connected to WooCommerce, one of the most widely used eCommerce platforms on the web.
According to a post made on Breach Forums earlier today, the threat actor claims the incident occurred on April 6, 2025, and involves the extraction of more than 4.4 million records containing detailed personal and business information.
The announcement suggests the data wasn’t pulled from WooCommerce‘s core infrastructure directly but rather from systems closely tied to websites using the platform, likely CRM or marketing automation tools connected through third-party integrations.
The data breach appears to include both customer and company-level information, including emails, phone numbers, physical addresses, and social media links to business data such as sales revenue, employee count, domain authority rankings, and platform usage.
In total, the hacker claims the database holds:
- 998,000 phone numbers
- 4,432,120 individual records
- 1.3 million unique email addresses
- Metadata on corporate websites, including technology stacks and payment solutions.
Top Organisations Listed in the Sample Data
A 1,000-line sample shared by the hacker includes data from several notable websites, such as “nist.gov,” the official site of the National Institute of Standards and Technology (NIST), a U.S. Department of Commerce agency. Also listed is “texas.gov,” the official portal for the State of Texas.
In addition to government entities, the sample contains records linked to major organizations, including NVIDIA Corporation, the New York City Department of Education, the University of Oklahoma, and Oxford University Press, alongside data from other well-known institutions and private companies worldwide.
Each record includes detailed information typically found in well-arranged marketing databases, such as estimated revenue, number of SKUs (Stock Keeping units), marketing platforms in use (e.g., ActiveCampaign, HubSpot), hosting providers, and links to company social media.
Interestingly, several entries show references to WordPress CMS, with WooCommerce listed as the eCommerce plugin. Others highlight integrations with Salesforce, Pardot, and various payment platforms like PayPal and Stripe. This points to a data source larger than WooCommerce itself, possibly compiled through APIs or scraped from exposed CRM panels.
Data for Sale
The hacker is currently offering the database for sale via direct messages or Telegram without listing a fixed price. According to their post, they are “taking offers only.”
This claim follows a growing pattern from the same actor, who recently alleged a breach involving Magento via a third party and previously took credit for the Tracelo breach affecting 1.4 million users. Just last week, Satanic also claimed to have breached Twilio’s SendGrid, though that incident was publicly denied by the company.
If the WooCommerce-related breach proves authentic, it would represent one of the largest known exposures involving WordPress-based commerce platforms this year. The combination of personal contact information, business intelligence, and technology stack profiling makes the dataset valuable for threat actors engaged in phishing, social engineering, or competitive intelligence scraping.
At the time of publishing, WooCommerce has not issued any public statement regarding the claim. While Hackread.com has reached out to the company, businesses relying on WooCommerce and connected CRM or marketing tools should consider reviewing their third-party integrations and checking for unusual data access patterns.
UPDATE:
Automattic, the parent company of WooCommerce, responded to Hackread.com’s query regarding recent claims about the alleged WooCommerce data breach. The company clarified that, based on its investigation, the incident does not appear to be the result of a direct breach of WooCommerce.
“Based on our investigation, it appears the data is from a service that aggregates publicly accessible data about ecommerce stores and other websites in order to resell it. We’re not sure how the data was obtained: whether it was legally downloaded through the service or via other means.”
Automattic Spokesperson
When questioned by Hackread.com about Automattic’s response, the hacker maintained their claim that the data is not publicly available and was obtained from a third-party vendor directly connected to WooCommerce.
