Shopify says customer data breach occurred via a hacked third party application

A threat actor has reportedly hacked into e-commerce giant Shopify’s internal network and stole the sensitive personal data of its customers.

 

Recently, a threat actor going by the name “888” listed Shopify as a victim on the dark web. The hacker claimed they infiltrated the e-commerce giant’s internal network and stole personal data of Shopify customers.

 

According to a screenshot shared on X, 888 claimed to be in possession of 173,873 sets of user data, including Shopify IDs, first names, last names, email addresses, mobile numbers, trader counts, total spent, email subscription, email subscription dates, SMS subscription, and SMS subscription dates.

 

To prove the authenticity of its claims, the hacker also leaked a portion of the stolen data and is willing to sell the entire database to a single buyer who can contact the hacker via personal message on the forum.

 

Responding to the allegations, a Shopify spokesperson said that the company has not suffered any data security incident.

 

In a statement shared with the media, a company spokesperson said, “Shopify systems have not experienced a security incident. The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.”

 

Shopify is yet to comment on the number of affected individuals or reveal the third party app breached by the threat actor.

 

Last month, the hacker reportedly leaked a database containing personal and contact details of 32,828 individuals, allegedly current and former employees of Accenture. The data posted on Breach Forums on June 19, 2024, included full names and email addresses but no passwords.