Shopify Data Breach Impacting 180,000 Users Tied to Third-Party App

Shopify has confirmed that a data breach impacting nearly 180,000 users originated from a third-party application, not from Shopify's own systems. This revelation follows a post on BreachForums by a threat actor claiming to sell user data allegedly linked to Shopify.

The breach was publicized by a user named “888” on BreachForums. The post appeared on Wednesday, July 3, 2024.

The threat actor provided a detailed list of the compromised data, which includes Shopify IDs, names, email addresses, mobile numbers, order counts, total spending, and subscription statuses.

A sample of the data reveals the personal information of several individuals, highlighting the severity of the leak.

Shopify's statement to Cyber Insider

When asked by Cyber Insider about the allegations the threat actor made, a Shopify spokesperson responded with a clarification on the incident's impact, reassuring that the platform's infrastructure hasn't been breached.

“Shopify systems have not experienced a security incident. The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.”

– Shopify spokesperson statement to Cyber Insider on July 4, 2024

However, the company has not disclosed the name of the implicated third-party app or the exact number of affected individuals. We have contacted Shopify for further details but have not received a response yet.

Shopify, a prominent e-commerce platform, reported a revenue of $7.4 billion in the latest fiscal year. The platform enables individuals and businesses to create, manage, and grow online stores, offering services ranging from payment processing to marketing tools. With millions of users globally, any data breach associated with Shopify poses significant risks to its reputation and user trust.

The compromised data, as listed by the threat actor, includes:

• Shopify ID
• First and last names
• Email addresses
• Mobile numbers
• Order counts and total spending
• Email and SMS subscription statuses, along with subscription dates

Given the detailed nature of the leaked information, affected users could face heightened risks of phishing attacks and identity theft.

In light of this incident, Shopify users are advised to:

• Monitor their accounts for unusual activities.
• Change passwords immediately and use strong, unique passwords.
• Enable two-factor authentication for an additional layer of security.
• Be wary of phishing emails and messages requesting personal information.

While Shopify continues to investigate and clarify the extent of the breach, users should remain vigilant and take proactive steps to secure their personal data. The involvement of a third-party app highlights the importance of scrutinizing the security practices of all connected applications and services.