In March 2019, a critical SQL injection flaw was discovered in Magento 1 and 2. This allows attackers to read and write to your database. A common attack pattern is that your admin passwords are stolen.
To fix this, install these Magento-supplied patches:
Installed these patches and eComscan still reports this issue? In some cases, the old (vulnerable) code is cached and still active. You should flush all caches. See also this Stackoverflow question.
It is also possible that you have a duplicate of the (older) Magento code located under your hosting account. In that case, it is recommended to purge the older version.