Brinztech Alert: Database of Mercadia City (Spanish E-Commerce) is Leaked

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the alleged leak of a database belonging to Mercadia City (mercadia_city.com), a Spanish e-commerce entity.

This claim, if true, represents a critical administrative compromise. The leak is not a simple CSV export; it contains raw SQL statements, specifically an INSERT INTO admin_user command.

Technical Analysis:

• The “Smoking Gun”: The SQL sample reveals the admin_user table, containing emails and hashed passwords for the site’s administrators.
• Platform Identification: The leaked configuration settings (mentioning codazon, shopbybrand, layerednavpro) strongly suggest the site is built on Magento 2 (Adobe Commerce), as these are common third-party extensions and themes for that platform.
• Attack Vector: The format of the leak (raw SQL injection output) indicates the attacker likely exploited an SQL Injection (SQLi) vulnerability in one of these third-party plugins or the core CMS to dump the database.

This incident fits into the broader 2025 cyber-crisis in Spain, where attackers are systematically targeting digital infrastructure across all sectors.

Key Cybersecurity Insights

This alleged data breach presents a critical and immediate threat:

• Exposure of Administrative Credentials: The leak explicitly shows an admin_user entry. Even if the password is hashed, attackers can attempt to crack it or use the email to launch targeted phishing attacks against the administrator to gain full control.
• Potential for System Control: Access to administrative credentials poses a severe risk, potentially leading to full control over the website. Attackers could install digital skimmers (Magecart) to steal customer credit cards in real-time, manipulate prices, or delete data.
• Third-Party Plugin Risk: The presence of specific plugin names (codazon) highlights the supply chain risk in e-commerce. Vulnerabilities in themes and extensions are a primary vector for compromising Magento sites.
• Imminent Data Breach Confirmation Required: Despite being labeled “alleged,” the provided SQL data is highly specific and credible, necessitating immediate verification.

Mitigation Strategies

In response to this claim, the company and all e-commerce administrators must take immediate action:

• Immediate Credential Rotation and Audit: All administrative passwords, particularly for the compromised admin_user account and related systems, must be immediately reset. Check for any new, unauthorized admin accounts created by the attacker.
• Vulnerability Management (Patch Plugins): Conduct an urgent vulnerability assessment of the web application. Specifically, check if the Codazon theme or other extensions (shopbybrand) have pending security updates or known SQLi vulnerabilities.
• Multi-Factor Authentication (MFA) Enforcement: Implement and enforce MFA for the admin panel (/admin). This is the single most effective defense against stolen credentials.
• Deploy a WAF: Implement a Web Application Firewall (WAF) to block SQL injection attempts and restrict access to the admin panel to specific IP addresses.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com