Shopify Data Breach Puts Thousands at Risk

shopify data breach
Follow Anne

On Tuesday evening Shopify wrote a blog post saying that they had experienced a data breach. (Note that Shopify was not hacked, it was an inside job.) A blog post; not an announcement to customers*, let alone an outreach to affected customers, but a blog post – on their merchant ‘community’ board. Which means that the odds are good that you will never be directly contacted about this breach unless your Shopify-using merchant lets you know. (Ok, technically Shopify’s merchants are their customers, and they may be contacting those merchants, but not the actual people whose data has been compromised).

Shopify is the web-hosting service that many, many businesses use to power their credit card and other financial transaction processing. (According to ShopifyAndYou.com more than 1million merchants now use Shopify as their processor).


What happened is that two employees (in their post Shopify calls them “rogue members of our support team”) stole the records of up to 199 merchants, meaning the customer records of the customers of those merchants.

The critical part of their blog post (full post included below) is this: “This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.”

Note that word “complete”. Because in fact financial information is “part of this incident”, just not complete financial information.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

 

We know this because, as it happens, one of the affected merchants reached out to us, and here is what they had to say:

“On Monday, September 21st, 2020, Shopify informed us about a security incident that occurred on its platform. We now have the details of the customer information compromised and are proactively sharing what we know with you. Shopify told us that names, addresses, emails, product orders and the last four digits of credit cards may have been obtained. Shopify assured us complete credit card information and account passwords were NOT obtained.”

With this information it is easy for a scammer to contact you saying something like “Hi, this is so-and-so with Acme, and we are contacting you about order #1234 that you placed with us, for two shirts and a pair of pants, on September 15th. Your credit card did not go through so we need to run it again. It’s your credit card ending in 9876; can you please confirm the full number?”

 

This sounds so plausible that lots of people will fall for it.

As we always say, regarding any place that has your data, it’s not a matter of if they will have a data breach, it’s a matter of when.

Here is Shopify’s full post, which you can also read here:

Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue–and impact–so we could take action and notify the affected merchants.

Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.

This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.

Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.

To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

Summary
Shopify Data Breach Puts Thousands at Risk
Article Name
Shopify Data Breach Puts Thousands at Risk
Description
Shopify has had a data breach affecting thousands of their merchants' customers. They were not hacked, it was an inside job.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.