Recent Shopify Breach Affecting 180,000 Users Blamed on Third-Party App

• Shopify recently suffered a data breach that saw user data leaked on a hacker forum.
• The e-commerce company denied the security incident originated from a system flaw and blamed the leak on a third-party app.
• Samples of the stolen information show full names, email addresses, phone numbers, and more were exposed.

Shopify said last week’s security incident was not caused by the company’s own systems but by a third-party app. The data breach that affected approximately 180,000 users was put up for sale on a popular hacker forum and boasted 180,000 rows of user information.

In a recent statement, Shopify revealed the reported security incident was caused by a third-party app and that the e-commerce giant’s systems aren’t impacted or to blame. However, the name of the implicated third-party app was not mentioned, and the exact number of affected people was not disclosed.

A user named “888” posted the Shopify breach on the forum on July 3. The threat actor provided a sample of the alleged 173,873 sets of user information, which apparently includes Shopify IDs, full names, email addresses, phone numbers, order counts, total spending, and subscription statuses.

Earlier this year, a publicly accessible MongoDB database was discovered belonging to a U.S.-based company called Saara, which develops Shopify plugins described as an “AI/ML-powered e-commerce technology suite.” As a result, a huge trove of sensitive user data was exposed, and millions of orders were leaked.

In recent news, U.S. messaging giant Twilio confirmed cybercriminals were able to identify phone numbers of people who use the Twilio-owned two-factor authentication (2FA) app Authy via an unsecured API endpoint, allegedly leaking 33 million Authy user phone numbers in late June.