Top-rated Shopify plugin exposes hundreds of stores to severe security risks

A privacy compliance plugin trusted by hundreds of Shopify merchants has been found leaking sensitive data, exposing online stores to threats including code injection, data theft, and full account takeovers.

Cybersecurity researchers at Cybernews discovered that Consentik, a popular Shopify plugin designed to ensure compliance with privacy laws such as GDPR, LGPD, and CCPA, had been silently broadcasting sensitive information via an unsecured Kafka server. The exposed data included real-time site analytics, Shopify admin credentials, and Facebook advertising tokens, all accessible to anyone online for at least 100 days.

Consentik, developed by Vietnamese firm Omegatheme, has been available on Shopify’s app marketplace since 2018 and holds a 4.9-star rating. It also bears the “Made for Shopify” badge—a designation meant to highlight apps that meet Shopify’s standards for quality and security. Despite this endorsement, the plugin’s misconfiguration put hundreds of e-commerce businesses across industries like fashion, cosmetics, fitness, and consumer electronics at risk.

The breach revealed the private infrastructure of Consentik’s backend, where an unprotected Kafka server was found transmitting sensitive authentication data and web analytics. These included Shopify Personal Access Tokens—digital keys that, in many cases, provide admin-level access to a store’s backend—and Facebook Auth Tokens that could allow attackers to hijack advertising accounts.

“The scope of what can be accessed using the Shopify Personal Access Token can vary depending on the plugin that the token was generated for,” Cybernews researchers noted. They added that Consentik failed to disclose the full extent of its data access either in the Shopify App Store or in its privacy policy.

With access to these tokens, malicious actors could manipulate storefront content, steal customer data, launch phishing attacks, or run fraudulent ad campaigns—all under the merchant’s name and budget. Such vulnerabilities not only threaten financial loss but also damage brand reputation and could result in legal action, especially under strict privacy regulations in the European Union and California.

Omegatheme, which claims over 39,000 clients globally and 28 developed apps since 2015, was notified by Cybernews and has since secured the exposed server. Shopify has also been alerted, though neither company has issued an official statement regarding the incident.