Blurred background image

Hanna Andersson’s SF Commerce Cloud Site Hacked: The UV Take

Building a high-security ecommerce site is hard, very hard. But building an ecommerce site that is so bulletproof that it is never once infected by a virus or other sort of malicious hack attack? Now that is impossible.

This is why, while Hanna Andersson’s site, which runs Salesforce Commerce Cloud (and UV has no relation to this client), has been getting some press for having been hacked between September and November 2019 — indubitably driven by the lawsuit that followed from Bernadette Barnes’ credit card information having been stolen after a $119 purchase on the site, among others — there are a few points about this event that are important to articulate that we haven’t yet seen mentioned in the media. These have compelled our team to pen this article.

The first point is possibly the most important: we feel for you, Team Hanna Andersson. Even if the site was built by a competitor of ours, this is not the time to mock them but to empathize with them. UV’s websites and work have been astoundingly lucky in the face of the constant threat of attackers and hackers, but our day will come. It is a statistical inevitability. And do unto others as you would have them do unto you is ancient, received wisdom always worth remembering.

The second point is that, having analyzed the cause of the attack, it is clear that it is not a problem nor hole in Salesforce Commerce Cloud itself. As a company that lives and breathes Salesforce Commerce Cloud, we felt compelled to investigate it, to be sure that our preferred platform was as safe as we have thought. Trust, but verify — and we trust Salesforce Commerce Cloud, but constantly verify that our trust is worth it. Our review of the causes has led us to verify that the problem wasn’t with Salesforce Commerce Cloud but rather with how the developers developed on top of it.

Which brings me to our third point: the developers made a mistake. They are, after all, human — believe it or not. This hack attack was a classic case of cross-site scripting, one of the most common ways in which sites are hacked. And as the Commerce Cloud documentation makes clear, “XSS” (that’s the common developer abbreviation of cross-site scripting) is prevented by default on SFCC, except there is a flag in which you can disable the protection if you need to for some reason — such as if it creates an incompatibility with another part of the code. And those situations sometimes happen:

It seems overwhelmingly likely, to the point where we would bet our farm on it (well, at least I would bet my non-existent farm on it) that they just forgot to include this line and, as such, left a door wide open for the attackers. A bit like leaving your front door wide open for weeks on end to your luxury mansion that’s right next to the city shantytown.

Fourth, and finally, United Virtualities, being a very security-conscious company, with a veteran team experienced in dealing with many forms of attacks and hacks — to use today’s rhyme — has a security checklist that we insist on always implementing on each client project. We do our classic XSS-prevention codes and check to make sure they’re there. We do third-party site scans to try to expose any holes. We use various cartridges and add-ons specifically to strengthen the security of our sites, like Wordfence for WordPress, for example.

Based on all of this, there are a few conclusions. One is that paranoia pays off: perhaps there is wisdom in Woody Allen’s joke that, “Just because I’m paranoid doesn’t mean they’re not after me.” Another is that we must remember that publicity doesn’t just happen, it’s paid for: yes, the site was hacked, but why is it that so many publications are wanting everyone to talk about it now? And the final lesson is the importance of investigating when others make mistakes — even those not directly relevant to your work at hand, but more broadly to the platforms and systems you’re dependent on. You’re only as strong as the platform you’re on.

PS: UV is one of the world’s leading Salesforce Commerce Cloud agencies. Contact us to see how we can work together.

Related Ideas

If you got value from this article, you may enjoy these other articles, as well. We’re always adding value!

WordPress With WooCommerce Or Salesforce Commerce Cloud: Which Is Better for Your Online Store?
  • United Virtualities: We are UV
  • Commerce
  • Salesforce Commerce Cloud

WordPress With WooCommerce Or Salesforce Commerce Cloud: Which Is Better for Your Online Store?

We wrap our heads around Wordpress, which powers 35% of the internet, and compare it to...
Salesforce Commerce Cloud Conversion Optimization: Should You Require a Login For Sales…. Or Not?
  • United Virtualities: We are UV
  • Commerce
  • Salesforce Commerce Cloud

Salesforce Commerce Cloud Conversion Optimization: Should You Require a Login For Sales…. Or Not?

Choose your own login adventure: requiring logins or not is part of the secret sauce of...
For Your eCommerce Store, Is Magento or Salesforce Commerce Cloud A Better Choice?
  • United Virtualities: We are UV
  • Commerce
  • Salesforce Commerce Cloud

For Your eCommerce Store, Is Magento or Salesforce Commerce Cloud A Better Choice?

We start this week with a new battle: Magento vs SF Commerce Cloud. Which one's better...

Latest ideas

Our latest thinking about SF Commerce Cloud.

What Are the Essentials of an Order Management System?
  • United Virtualities: We are UV
  • Salesforce Commerce Cloud 101: A Beginner's Guide

What Are the Essentials of an Order Management System?

When the customer clicks “buy” the delicate dance of the order management system begins. Here is the choreography. [...]

Three System Shootout: The Order Management Systems of Netsuite, Kibo, and Lightning
  • United Virtualities: We are UV
  • Commerce
  • Salesforce Commerce Cloud

Three System Shootout: The Order Management Systems of Netsuite, Kibo, and Lightning

What is the best order management system to integrate with Salesforce Commerce Cloud? We look at the top contenders. [...]

Challenges for Salesforce Commerce Cloud
  • United Virtualities: We are UV
  • Commerce
  • Salesforce Commerce Cloud

Challenges for Salesforce Commerce Cloud

The good and the bad; the triumphs and the difficulties. We confront the biggest challenges that face Salesforce Commerce Cloud. [...]

Let's team up.
Talk to us!

UV has acquired SFCC & AEM specialist dev shop, Sawyer EffectLearn all about it!
How Do I Choose The Right Salesforce Commerce Cloud Tech Partner? Find out in our free eBook, "The Definitive Guide to Choosing The Right SFCC Tech Partner For You"