Shopify points to third-party app for data breach
A hacker recently advertised the sale of a database allegedly stolen from e-commerce giant Shopify. However, the company says the archives did not come from its systems, but from a third party.
Last week, a cybercriminal using the alias “888” attempted to sell a database containing approximately 180,000 rows of user information via BreachForums.
This information apparently includes people’s Shopify IDs, full names, email addresses, mobile phone numbers, order quantities, total spend, email subscriptions, email subscription dates, SMS subscriptions, and SMS subscription dates.
Phishing material
The breach is believed to have occurred on July 4, 2024. Shortly after the news broke, Shopify released a statement to a number of media outlets denying that there had been a breach and claiming the information had been obtained elsewhere.
“Shopify systems have not experienced a security incident,” Shopify said. BleepingComputer“The reported data loss was caused by a third-party app. The app developer plans to notify affected customers.”
On BreachForums, the hacker posted a small sample of the stolen data, as proof of its legitimacy. They are selling the archive as a one-time sale, meaning multiple purchases were not possible. Interested parties were asked to contact 888 via DMs and offer an amount in Monero (XMR).
Monero is a cryptocurrency popular among cybercriminals due to its enhanced privacy and anonymity features.
The hacker has a long track record of successful leaks, multiple media outlets have confirmed. This year alone, 888 sensitive data from Credit Suisse, Assurified, Heineken and Accenture were leaked.
We’ll know more details once the third-party app steps forward and notifies its customers. In the meantime, all Shopify users would be wise to pay extra attention to incoming emails and be wary of potential phishing or identity theft attacks.
The last data breach at Shopify happened about four years ago.