A threat actor has recently claimed on a dark web forum to possess a database containing sensitive information of 836,409 Shopify customers.
The alleged data, reportedly available for $150, includes delivery details, email addresses, billing names, shipping tracking numbers and links, and even credit card numbers.
This alarming announcement has sparked concerns among Shopify users and cybersecurity experts alike.
The threat actor’s post follows earlier reports of data leaks tied to Shopify-related third-party apps.
In July 2024, a hacker known as “888” shared data allegedly originating from Shopify, which included personal details such as names, email addresses, phone numbers, and order-related information.
Shopify denied any breach of its systems at the time, attributing the incident to a compromised third-party app used by some of its merchants.
Third-Party Apps Under Scrutiny
Investigations into past incidents revealed vulnerabilities in third-party plugins utilized by Shopify stores.
For instance, a publicly accessible MongoDB database linked to Saara, a company developing Shopify plugins, exposed 25GB of sensitive customer data from over 1,800 stores.
This data included customer names, addresses, email addresses, phone numbers, and partial payment information.
The database remained unsecured for eight months before being addressed.
Shopify has maintained that its systems were not directly compromised but acknowledged the risks posed by third-party integrations.
The company stated that it audits plugins for security issues but admitted that vulnerabilities in external infrastructure could leave customer data exposed.
Implications for Customers and Businesses
The alleged sale of Shopify customer data highlights the growing risks of cyberattacks targeting e-commerce platforms.
If the claims are verified, affected customers could face threats such as identity theft, phishing scams, and financial fraud.
Cybersecurity experts emphasize the need for businesses to strengthen their security measures and regularly audit third-party services to prevent similar breaches.
Shopify users are advised to monitor their accounts for suspicious activity and update their passwords as a precautionary measure.
Meanwhile, Shopify has yet to issue an official statement regarding the latest claims but previously assured users that affected parties would be notified in case of confirmed breaches.
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The alleged data, reportedly available for $150, includes delivery details, email addresses, billing names, shipping tracking numbers and links.){kind=link}