Shopify partner app leaked user privacy, nearly 17,000 sellers affected

Recently, Shopify's partner application Topd ser was exposed to be leaking customers' privacy data, including users' credit card data and personal details, affecting thousands of shoppers.

It is reported that the root cause of the data leak cannot be 100% determined, but there is considerable evidence that Topdser is the cause of the information leak. The links embedded in the data point to Topdser 's website, and other companies do not have the permission to access or create these links.

Topdser is a partner application of Shopify , which supports Shopify sellers to import products from AliExpress and 1688 and publish them to Shopify stores with one click, reducing costs while achieving 3 times the shipping speed; as well as automated bulk ordering, Shopify sellers can use AliExpress 's official interface to seamlessly place orders within seconds, up to 300 orders, without waiting between orders.

( Topdser 's display page in the Shopify App Store )

Nearly 17,000 Shopify sellers affected

Researchers pointed out that 100,000 purchase data from more than 17,000 Shopify stores were leaked, with the total amount of exposed data reaching 13 GB , while the total amount of data on the Shodan search engine was just over 95 GB .

Meanwhile, researchers noted that the breach numbered 17.5 million records when it was first discovered , but Shodan revealed a total of 23 million records were exposed, meaning the data breach could have affected around 80,000 to 100,000 consumers.

Screenshots shared by VPNMentor show that the leaked data includes order details, credit card and PII (personally identifiable information) data.

According to the hackread website, VPNMentor discovered the data leak problem of Shopify as early as November 21, 2020, and immediately notified Shopify , but Shopify did not take responsibility for the matter.

Topdser was also alerted to the same issue and VPNMentor advised it to close the vulnerability and take steps to protect the exposed data.

The database in question was closed on November 24, 2020, but neither company responded or issued an official statement on the matter. Data leaks may pose risks of theft or fraud.

Shopify data breaches happen from time to time

Not long ago, Shopify was also exposed for its security vulnerability that leaked user information of cryptocurrency hardware wallet provider Ledger , which is expected to put 20,000 Ledger customers at risk.

Due to the leakage of users' full names, home addresses and emails, some users have been phished by criminals, and some have even reported blackmail cases involving death threats.

In addition, on September 22, 2020, Shopify was exposed that two of its employees stole transaction records of approximately 200 merchants, but the employees involved had leaked the data in April and June last year, including information of Ledger customers.

It is reported that Shopify is cooperating with the FBI and other international law enforcement agencies to investigate the incident. Ledger has also reported the Shopify incident to the French data protection agency and promptly informed users of the progress of the incident involving privacy leaks.

It seems that Shopify will have to pay more attention to protecting user privacy and strengthening network security in the future to prevent such incidents from happening again.

Shopify