Shopify plugin data breach exposes 7M orders
A ransomware attack recently leaked data from nearly 2K Shopify stores and over 7M individual orders. The data was held at ransom for .01 Bitcoin, and was available for eight months. The Shopify plugins were developed by US company Saara, and it is apparent that Shopify does not audit their plugins for security thorough enough.
The Cybernews research team discovered that a vast amount of sensitive data of shoppers was exposed to threat actors by the e-commerce giant’s Shopify plugin developer Saara, with millions of orders being leaked.
Shopify plugins from US developers Saara, fall victim to data breach, key findings:
- Researchers discovered a publicly accessible MongoDB database belonging to a US-based company, Saara, that is developing Shopify plugins.
- The leaked database stored 25GB of data.
- Leaked data was collected by plugins from over 1,800 Shopify stores using the company’s plugins.
- It held data from more than 7.6 million individual orders, including sensitive customer data.
- The data stayed up for grabs for eight months and was likely accessed by threat actors.
- The database contained a ransom note demanding 0.01 in bitcoin (around $640), or the data would be released publicly.
Plugins confirmed as affected by the leak:
- EcoReturns: for AI-powered returns
- WyseMe: to acquire top shoppers
Leaked data included:
- Customer names
- Email addresses
- Phone numbers
- Addresses
- Information about ordered items
- Order tracking numbers and links
- IP addresses
- User agents
- Partial payment information
Some of the online stores mostly affected by the leak:
- Snitch
- Bliss Club
- Steve Madden
- The Tribe Concepts
- Scoboo.in
- OneOne Swimwear
About the Author
Moonbeam Admin
Tyson is the official mascot of Moonbeam Development.
