Shopify Inc., a prominent e-commerce supplier, recently confirmed that it did not fall victim to a cyber security breach. Instead, the company stated that a data loss incident occurred due to a third-party app. The alleged breach, linked to a threat actor known as ‘888’, took place on the dark web marketplace BreachForums. Shopify, a Canada-based multinational business, offers a proprietary e-commerce platform for individuals, retailers, and businesses to establish online stores or retail point-of-sale websites.
In response to the incident, Shopify released a statement emphasizing that their systems did not experience a security breach. The data loss was attributed to a third-party app, and the app developer has plans to inform affected customers. However, Shopify refrained from disclosing specifics of the cybersecurity incident, the third-party app’s name, or the number of impacted individuals.
Reports suggest that the data breach occurred on July 4, 2024, with the threat actor ‘888’ sharing sensitive information from Shopify on BreachForums. The stolen data reportedly included personal details, email subscriptions, and order-related information of users, totaling to 179,873 rows of user information. This data breach encompassed various details such as Shopify ID, names, emails, mobile numbers, order count, total spent, and subscription dates.
Notably, the threat actor ‘888’ has been associated with numerous high-profile breaches in the past, including Credit Suisse, Accenture India, Shell, Heineken, and UNICEF. It is speculated that the breach may have originated from a recent incident impacting Evolve Bank and Trust.
In late June, Evolve Bank confirmed that it had been impacted by a cybersecurity incident facilitated by LockBit. Sensitive personal information, including names, social security numbers, dates of birth, and account details, was among the data stolen. Affirm Holdings, a financial firm, acknowledged being affected by the Evolve Bank and Trust data breach as well.
Given the severity of the situation, Shopify customers are advised to remain vigilant against phishing attempts and potential identity theft. It is recommended to practice sound cyber hygiene by monitoring accounts for unusual activities, updating passwords regularly, enabling two-factor authentication, and exercising caution when dealing with suspicious emails or messages requesting personal information.
In conclusion, the recent data loss incident serves as a reminder of the importance of robust cybersecurity measures and the need for individuals and organizations to stay proactive in safeguarding their sensitive information online. Shopify has reiterated its commitment to addressing such incidents and ensuring the security and privacy of its users.