Share this article on:
A threat actor posted the details of nearly 180,000 customers to a hacking forum last week, but Shopify points the finger at a third party.
E-commerce giant Shopify has denied it has been hacked in the wake of a leak of nearly 180,000 customer details on a popular clear web hacking forum.
“Shopify systems have not experienced a security incident,” Shopify said in a statement to multiple media outlets.
“The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.”
Shopify declined to confirm the number of customers impacted or what the particular third-party app is.
The data leak in question was made by a threat actor named 888 on 3 July. The threat actor claimed to have 173,873 sets of user information with the following data: Shopify ID, first name, last name, email, mobile, trader count, total spent, email subscription, email subscription date, SMS subscription, and SMS subscription date.
The threat actor also shared a small sample of the data. The data was offered as a one-time sale, and anyone interested was told to contact 888 via personal message on the forum to make an offer in the Monero cryptocurrency, which is popular for such criminal transactions.
The threat actor has posted dozens of allegedly leaked data sets in 2024 alone, including ones claiming to be from Credit Suisse, Assurified, and Heineken. Last month, the threat actor claimed to be responsible for a data breach affecting 32,000 Accenture employees. However, the company confirmed the next day that it had found only three employee emails.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.