Detectify’s researchers analyzed 30,000 e-commerce stores

Detectify’s researchers analyzed 30,000 e-commerce stores

As the holiday season draws closer, the security researchers at Detectify have taken a deep dive into e-commerce security and analyzed 30,000 of the world’s most popular Magento stores. The results show that many online retailers are making serious security mistakes – in this article you will find out more about Detectify’s research and also learn how to keep your e-commerce business safe.

30,000 online stores vs 3 publicly available vulnerabilities

To take a quick snapshot of Magento stores’ security across the globe, the Detectify team analyzed 30,000 of the world’s most popular Magento sites based on Alexa rankings. The sample was then checked for 3 publicly available vulnerabilities as well as forced HTTPS, a basic security measure that prevents attackers from intercepting sensitive information.

Configuration file available on 500 stores
The /app/etc./local.xml file was a configuration file that contained the hidden path to the admin pane and the database password. Note the past tense here – this is an old vulnerability that isn’t a problem if you’re using a updated version of Magento. Magento stores running on servers other than Apache would serve this file to anyone, which is pretty bad, but what’s really scary is that 500 of the world’s top Magento stores are still vulnerable.

Exposed order history on 1,500 sites
Let’s talk about /RSS/order/NEW/new . This is an API for order history without any server-side authentication, allowing anyone to access sensitive order history data including customers’ personal information. This vulnerability was patched two years ago, but was still found it on 1,500 sites.

7,000 exposed admin panels
Leaving your admin panel exposed at /admin is the exact opposite of a best practice as it makes it easier for hackers to try and log in. Magento generates a warning if you make this mistake, but 7,000 of the webshops in the sample have an exposed admin panel.

50% missing HTTPS by default
Protecting customers by ensuring they are using HTTPS is becoming an increasingly common best practice, especially for businesses that are handling sensitive information like credit card details. Despite this, a surprising half of the web stores analyzed by Detectify do not use HTTPS by default.

5 quick security tips from Detectify’s security experts

1. Keep your platform up to date
This applies to all e-commerce solutions, not only Magento! Updates often include security patches – the vulnerabilities Detectify’s researchers checked for in their analysis have all been patched in newer versions.

2. Make sure your admin panel is not exposed
This is not a critical vulnerability in itself, but it broadens the attack surface and paves the way for attackers to try and bruteforce your password.

3. Implement HTTPS by default
Your customers might not be as tech-savvy as you are and chances are they don’t know how to manually switch to https. To keep them and their data safe, set up HTTPS by default.

4. Use a strong password
Weak and easy-to-guess passwords like password, 123456, and admin are still surprisingly common. If you need help coming up with and remembering strong passwords, consider using a password manager.

5. Monitor your security
Staying up to date with the latest vulnerabilities is time-consuming, but luckily, automation can do the heavy lifting. Detectify is an automated security monitoring service for web applications and was built by the cool people who did the research behind this article.


Curious about how a hacker would analyze and attack a Magento website? Sign up for Detectify’s video seminar where security researchers Linus Särud, 18, and Fredrik Almroth, 27, share their insights and advice on e-commerce security.

Four reasons why MTG invested in InnoGames


We just invested in a games company. We’d never done that before. But it probably won’t be the last time.


A few weeks ago, we took a 35% stake in InnoGames, an online games developer and publisher. We have an option to go up to 51% next year, and to increase our shareholding even further over time.

But don’t you guys work in TV? Yep, we do. We’re super-proud of our broadcasting business, which has the industry’s largest content portfolio and delivers multi-screen experiences to viewers across Europe. What we’re doing with InnoGames is part of MTG’s strategy to transform into a leading digital entertainment provider.

We’re already the world’s biggest esports company – our ESL and DreamHack businesses will engage over 250 million fans in 2016. At the same time, our multi-platform networks (MPNs) Zoomin.TV and Splay generate 2.5 billion online views every month, 25% of which relate to gaming content.

So you could say gaming is a thread that already runs through our digital portfolio. It’s a multi-billion-dollar industry, with more than 2 billion players worldwide. For us, it therefore makes perfect sense to add gaming as our third digital entertainment vertical alongside esports and MPNs, giving us huge opportunities to create cross-promotions and synergies.

We will continue investing in all these areas. Of course, there are a whole bunch of games companies around – including some great ones at SUP46. Here are four reasons why we made InnoGames our first move in this space:

  1. Amazing games. InnoGames’ titles such as Elvenar, Grepolis and Forge of Empires have generated more than 150 million registered players.
  2. A proven financial track record. InnoGames has been profitable from year one and margins are high and stable. The company’s revenues have grown 20% every year for the last three years, and should hit EUR 125 million in 2016.
  3. A sustainable model. InnoGames operates a 100% free-to-play model with revenues coming from in-game purchasing. It develops multiple cross-platform titles, rather than a single blockbuster. And the games constantly evolve, keeping players engaged for years.
  4. Successful in mobile. Mobile is the fastest growing gaming segment, thanks to large audiences and more paying players. Today, 50% of InnoGames’ new users register on mobile platforms, and the company has some really exciting mobile-only titles in development.

All these things were really important in our decision – but don’t take this as an exhaustive checklist. As an entrepreneur myself, I know that the most successful start-ups are often those that break the rules completely.

Every rule, that is, except one.

Whatever your business, you have to love what you do. It’s about feeling an urgent hunger to disrupt everything – you wake up each morning wanting to change the world.

Passion, in other words, is at the heart of the entrepreneurial spirit. InnoGames has it. MTG has it. And so do the companies in which we’ll invest next.

/Arnd Benninghoff, CEO at MTGx


Job Board Alert

Work at a SUP46 startup – Detectify

Dreaming of becoming part of the startup scene? If spending your days with hard-working and extremely driven people trying to change the world appeals to you, then all you need to do is find the right fit. Our member Detectify is currently looking for a Sales Representative. Perhaps that is the team and product for you?

More open positions with SUP46’s members can be found on our Job Board.


  • What is Detectify all about?

Detectify is a web security startup founded by a group of top ranked whitehat hackers. The company was born from the simple idea that the internet was broken. The service continuously monitors your website’s security status and reports back with issues. The idea is to help developers deploy safer code and make companies work preventive with security. In short; Detectify monitors your security so that you can focus on web development and building awesome products.

  • What is it like working at Detectify?

Detectify was founded by some of the world’s best security researchers and we aim to bring in people with the same set of passion and competence, whether they work in marketing, sales or tech. Our employees are from all over the world – and we all share a passion for making the internet a safer place, creating out of the ordinary customer experiences and wanting to learn new things.

  • What sort of person are you hoping to see in this position?

Sales representative – We need to extend our sales team with an individual who loves establishing relations with new customers. Someone who isn’t afraid to make calls, schedule meetings and helping customer get started in the right way.

Detectify is a global company and our customers are spread all over the world, so good knowledge in English is a must. We believe that you have a few years of experience as a sales representative, preferably for another SaaS startup. Or perhaps you just have the right skill set to let Detectify be your first job.

  • What are you hoping to accomplish with the help of this new person?

We’re looking for someone who will add even more successful companies to the list of already existing customers such as Trello, King, Trustpilot, Le Monde and many, many, more.

  • You were also recently part of our joint Demo Day with 500 Nordics, pitching to 100 international investors – what was that experience like?

Great event with many interesting people in the room, both the pitching companies and the investors. Thank you for the opportunity to participate! We are always looking for people to join our team. Do you think you have what it takes and would like to be one of us? Check out our career page


Think this job could be for you or someone you know? Read more about the position and apply here.




The Stockholm Investment Landscape


This infographic from The Nordic Web gives you a nice overview of the state of the investment landscape in Stockholm. Did you for instance know that during H1 2016, Stockholm based startups had already raised $1.2B – thereby surpassing the total of investments made during the whole of 2015.

We are extra happy to be able to announce that SUP46’s members follow suit by surpassing $31M during the summer, the same amount that they raised during the whole of 2015!

StockholmInvestment2016 (2)

New venue

Our new home

As you might have read earlier on DI Digital and Breakit we have left our first venue and moved 18 doors north to end up on Regeringsgatan 65. One of the absolute best things about this move was to be able to use all of the experience we have gained during the past three years when designing our new venue.

We have set it up with focus on our and our members’ needs (which means quite a few changes for the better in comparison with the last venue) and are so happy about the result. Another thing that is truly great is the fact that we now have our whole community gathered on the same floor.

The open Hangout Space and Event Space has been closed up until this week, which means very few have seen anything of our new venue. So we thought we would give you a sneak peak of what it looks like up here, on the third floor of Europahuset.





We look forward to welcome you back to the new and improved SUP46 venue!