Mon. Jul 22nd, 2024

E-commerce giant Shopify has firmly denied allegations of a data breach, attributing the data loss to a third-party application and asserting that their own systems remain uncompromised.

Short Summary:

  • Shopify denies suffering a data breach.
  • Data loss attributed to a third-party app.
  • Threat actor ‘888’ claims responsibility for the data theft.

Recently, Shopify, a leading e-commerce platform, faced accusations of a data breach after a hacker began selling purported Shopify customer data. “Shopify systems have not experienced a security incident,” the company clarified in a statement to BleepingComputer. The alleged data breach was initially linked to a threat actor known as ‘888’, who claimed to possess and started selling stolen information from Shopify’s network.

On the dark web marketplace BreachForums, ‘888’ shared samples of the stolen data, which contained sensitive customer details such as Shopify ID, names, email addresses, mobile numbers, order counts, total amounts spent, and subscription dates.

However, Shopify quickly countered these claims, noting, “The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.” Despite these assurances, Shopify has not provided further information about the specific third-party app involved or the exact number of affected individuals.

Understanding the Allegations:

The hacker ‘888’ is no stranger to high-profile data breaches, having previously been linked to incidents involving Credit Suisse, Shell, Heineken, Accenture India, and UNICEF. In this instance, ‘888’ claimed to have stolen extensive Shopify user data — approximately 179,873 rows — and shared it on BreachForums, thereby creating widespread concern among Shopify users.

Potential Connection to Evolve Bank and Trust:

Interestingly, speculation arose regarding a potential connection between the Shopify incident and a separate data breach involving Evolve Bank and Trust. This bank, which supports Shopify Balance, a money management service integrated into Shopify stores, confirmed a cybersecurity incident at the end of June. LockBit, a known cybercriminal group, was implicated in the breach, which exposed sensitive personal information, including names, social security numbers, dates of birth, and more.

In an official statement, Evolve Bank disclosed, “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organisation that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users).” Affirm Holdings, another entity mentioned in connection with Evolve’s breach, also confirmed being impacted. Affirm serves as a third-party issuer for Shopify Balance debit cards. Affirm noted on their website, “We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more.”

Historical Context:

This incident is not the first time Shopify has been embroiled in a data security controversy. In 2020, Shopify admitted that two “rogue members” of its support team accessed the transactional records of about two hundred merchants, revealing vulnerabilities within the company’s ecosystem. This history has amplified concerns about the recent accusations of a data breach, even though Shopify maintains their systems have not been compromised this time.

Expert Opinions and Reactions:

Cybersecurity experts have weighed in on the situation, advising Shopify users to remain vigilant. They suggest proactive measures such as monitoring accounts for unusual activity, regularly updating passwords, enabling two-factor authentication, and being cautious of phishing attempts.

“Given the severity of the data breach, Shopify customers must adopt healthy cyber practices to guard against phishing attempts and identity theft,” advised Cybernews researchers. “Organisations should also reset impacted credentials and leverage password managers.”

The researchers also compared the potential fallout from this data loss to previous massive password leaks, such as the “rockyou2024.txt” incident. This breach exposed nearly 10 million unique plaintext passwords and underscored the importance of robust cybersecurity measures to mitigate risks.

Shopify’s Commitment to Security:

Despite the swirling allegations, Shopify has reiterated its commitment to security and transparency. The company has emphasised that the data loss reported was not due to any failure within its own systems but rather a third-party application. In its communication to media outlets, Shopify stated, “We take the security of our systems and data very seriously and will continue to work closely with our partners to protect the data and privacy of our customers.”

While Shopify’s swift denial and attribution to a third-party app offer some reassurance, the e-commerce giant’s customers are urged to stay informed and take necessary precautions to safeguard their personal information.


As the investigation continues and more details emerge, it remains crucial for both organisations and individuals to stay vigilant against cyber threats. In a digital age where data breaches are becoming increasingly commonplace, adopting stringent cybersecurity practices and maintaining open lines of communication are indispensable for mitigating risks. For more insights and updates on this developing story, visit and keep abreast of the latest News.

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *