Shopify blames breach of customer data on third-party app
Learn More
On July 3, a data leak involving nearly 180,000 customer details from e-commerce giant Shopify surfaced on a popular hacking forum. Shopify has firmly denied that its systems were compromised. Instead, the company has attributed the data loss to a vulnerability in a third-party app.
The data leak was published by a threat actor known as 888, who claims to possess 173,873 sets of user information. They shared a sample of this data on the forum and offered it for a one-time sale. Interested buyers were instructed to contact 888 via personal message to negotiate the sale in Monero cryptocurrency.
The exposed data included:
- Shopify ID
- First name
- Last name
- Mobile number
- Trader count
- Total amount spent
- Email subscription status and date
- SMS subscription status and date
Shopify issued a statement, asserting that its systems had not experienced any security breach. The company clarified that the data leak was caused by a third-party app, and the developer of this app intends to notify affected customers. They did not disclose the third-party app nor the level of integration with Shopify.
While Shopify's systems remain secure, the breach still exposes customer data related to Shopify services. The users of Shopify services should check their credit card transaction data, change passwords and be aware of possible phishing attacks related to shopify.
