Someone said to me recently that the reason to work with me is that my laptop is programmed to find issues nobody else can identify. I laughed, and then I thought about how depressing the truth behind it is.
Finding the problem is not the hard part. Getting anyone to care is.
The Pattern I See Over and Over
I spot a hacked store. I try to report it. Nobody in the company responds, or the message reaches someone who does not understand what they are being told and files it as spam.
Meanwhile the same business is still spending money. Still running ads. Still paying for SEO. Still sending email campaigns. Every one of those pounds is being pushed into a funnel with a hole in it, and the people skimming card details at the other end are, in effect, being funded by the marketing budget.
I have written about why you should read the spam-looking site audit email for exactly this reason. Sometimes the person emailing you out of nowhere is the only one telling you the truth.
Why This Keeps Happening
Security has no owner in most ecommerce businesses. Marketing owns traffic. Ops owns fulfilment. Somebody owns the P and L. Nobody owns the question of whether the site is quietly compromised, so the answer never gets checked until the payment provider calls.
It is not that people are careless. It is that a compromised store still looks fine. Orders come in. The homepage loads. There is nothing to react to until the damage is already done, which is precisely what makes it dangerous. I made the same point about silent site failures nobody noticed.
What Actually Fixes It
Monitoring, and someone whose job it is to look. Not an annual audit. A routine. We run a daily monitoring stack precisely because supply chain attacks do not announce themselves, and I have written up what an unauthenticated RCE in Magento actually means for a merchant for people who want the technical version.
If you have not had anyone look at your store properly in the last year, that is not a small gap. That is the gap.
Ask someone to check. If it is not us, fine. Just ask someone.