Shopify, the popular e-commerce platform, is facing controversy after customer data allegedly leaked online. The company denies a direct security breach, instead pointing the finger at a third-party app on its platform.

This news comes after a threat actor known as “888” began selling data on a hacking forum, claiming it originated from a 2024 Shopify breach. The data reportedly includes customer information from Shopify stores.

The threat actor shared data samples that include a person’s Shopify ID, first name, last name, email, mobile number, order count, total spent, email subscription, email subscription date, SMS subscription, and SMS subscription date.

Buy Me A Coffee
Selling alleged Shopify data on a hacking forum
Source: BleepingComputer

Shopify maintains that its own systems were not compromised. In a statement to BleepingComputer, they claim the “data loss reported was caused by a third-party app,” and that “the app developer intends to notify affected customers.” However, Shopify did not disclose which specific app was responsible for the alleged data leak.

Shopify did not respond to further requests for more information about the app from which this customer’s data was stolen.

Fujitsu Confirms Customer Data Exposed in March Cyberattack