Shopify points to third-party app for data breach
Hacker claims sensitive data up for sale comes from Shopify
A hacker has advertised selling a database allegedly stolen from one of the best ecommerce platforms Shopify - however, the company says the archives did not come from its systems, but rather a third party.
A threat actor with the alias ‘888’ recently took to BreachForums to try and sell a database containing roughly 180,000 rows of user information.
This information apparently contains people’s Shopify IDs, full names, email addresses, mobile phones, orders counts, total money spent, email subscriptions, email subscription dates, SMS subscriptions, and SMS subscription dates.
Phishing material
The breach was said to have taken place on July 4, 2024. Soon after the news broke, Shopify released a statement denying it had been breached, and claiming the information was obtained elsewhere.
"Shopify systems have not experienced a security incident," Shopify told BleepingComputer. "The data loss reported was caused by a third-party app. The app developer intends to notify affected customers."
On BreachForums, the hacker released a small sample of the stolen data, as proof of its legitimacy. They are selling the archive as a one-time sale, meaning multiple purchases were not possible. Interested parties were told to reach out to 888 via DMs and offer a sum in Monero (XMR).
Monero is a cryptocurrency popular among cybercriminals due to its enhanced privacy and anonymity features.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The hacker has a long track record of successful leaks, multiple media outlets have confirmed. Just this year, 888 leaked sensitive data from Credit Suisse, Assurified, Heineken, and Accenture.
We will know more details once the third-party app steps forward and notifies its customers. In the meantime, all Shopify users would be wise to pay extra attention to incoming emails, and be wary of potential phishing or identity theft attacks.
Shopify’s last data breach was roughly four years ago.
More from TechRadar Pro
- Shopify data breach hits Kylie Jenner make-up firm
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.