Shopify Denies Data Breach: Blames Third-Party App


E-commerce supplier Shopify has confirmed that it did not experience a cyber security incident but stated that a data loss was caused by a third-party app. The Shopify data breach was reportedly carried out by a known threat actor, operating under the alias ‘888’, on the dark web marketplace BreachForums.

Shopify Inc. is a Canada-based multinational business that offers a proprietary e-commerce platform along with integrations to allow individuals, retailers and other businesses to setup their own online stores or retail point-of-sale websites.

Denying that a data breach took place from its own accounts, Shopify released a statement to multiple media outlets which read, “Shopify systems have not experienced a security incident. The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.”

The company, however, did not give details of the cybersecurity incident that it was referring to, name of the third-party app or state the number of impacted individuals.

While Shopify did not elaborate on the cybersecurity incident, the statement could be referring to the recent data breach which allegedly took place on July 4, 2024.

Threat actor ‘888’ has allegedly shared stolen data from Shopify on BreachForums which consisted personal details, email subscriptions and order-related information of its users.

Shopify Denies Data Breach
Source: BreachForums

The threat actor claimed to have carried out a data breach containing 179,873 rows of user information. These records apparently include Shopify ID, First Name, Last Name, Email, Mobile, Orders Count, Total spent, Email subscriptions, Email subscription dates, SMS subscription, and SMS subscription dates.

The hacker,888, had previously been linked to multiple high-profile data breaches including Credit Suisse, Accenture India,  Shell,  Heineken, and UNICEF.

The breach could possibly have stemmed from a recent data breach incident impacting Evolve Bank and Trust.

Evolve Bank and Trust is a supporting partner of Shopify Balance, a money management integration built-in to the admin pages of Shopify stores. The bank is also a third-party issuer of Affirm debit cards.

Evolve Bank and Trust Data Breach Linked to Shopify?

Towards the end of June, the Evolve Bank confirmed that it had been impacted by a cybersecurity incident claimed by LockBit. The bank disclosed that the stolen data included sensitive personal information such as names, social security numbers(SSNs), dates of birth, and account details, among other data.

Shopify Denies Data BreachShopify Denies Data Breach
Source: X.com(@lvdeeaz)

In an official statement to the alleged Evolve data breach, the bank said, “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the  dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users).”

Later, the financial firm Affirm Holdings had confirmed  that it had also been affected by the Evolve Bank and Trust Data Breach. The firm stated in a security notice on its website, “Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more.”

Given the severity of the data breach, Shopify customers must be vigilant and guard against phishing attempts and identity thefts. They should adopt healthy cyber practices including monitoring their account for unusual activities, changing passwords, enabling two-factor authentication and being wary of phishing emails and messages requesting sharing of personal information.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.



Source link