Data Leaked from Shopify Plugins nearly 2k stores

A huge amount of confidential information of unsuspecting customers was exposed to hackers through ecological terrorism, a giant plugin developer, with millions of orders broadcasted.

 On 21st of February, Cybernews research team discovered a MongoDB database in public belonging to a US-based company, Saara, developing Spotify plugins. The firm describes its plugins as an “AI/ML- powered e-commerce technology suite”.

Order Analytics entries revealing ordered items, email addresses

Plugins confirmed as affected by the leak:  

  • EcoReturns: for AI- powered returns
  • WyseMe: to acquire top shoppers  

Other plugins made by Saara: 

  • EcoShip: for discounted shipping 
  • SalesGPT: and AI ecommerce chatbot

25 GB data was stored from a leaked database. Using the company's plugin over 1,800 Shopify stories were collected by plugins. More than 7.6 million fellow orders,as well as privileged customer data was held. Instead of relying on direct access to the database, it could have utilized the available public API provided by the endpoint for accessing data.

Order details including payment information, addresses, names, phone numbers, ordered items.

The data remained up for grabs for eight months and was likely accessed by cyberpunks. The database contains an extortion letter demanding 0.01 in bitcoin (around $640), or else the data would be released publicly.

A warning was given by a cybersecurity specialist regarding those poorly secured databases and services as they are likely to be targeted by spyware bots that can wipe out all of the data. Most often, Sara didn't notice the note served and left the database open.

More order details revealing ordered items, tracking tokens, user agents, email addresses, IP addresses 

Leaked data included:  

  • Customer names 
  • Email addresses 
  • Phone numbers 
  • Addresses 
  • Information about ordered items 
  • Order tracking numbers and links 
  • IP addresses 
  • User agents 
  • Partial payment information 

Cybernews contacted the firm and confirmed about the database being secured. The company’s CEO  Sachin Garg and Saara’s founder informed cybernews about receiving the disclosure, the company’s team “ immediately blocked the access to the database”. Although, the CEO of the company gave the disclaimer that the database was password-secured and did not contain any kind of ”confidential data”.

Incentive program for given story credits instead of processing returns

Caution with third-party services

The leak serves as a crisp example that whenever you put forward your personal data online, you can’t be sure that your data is in safe hands or not. It even reminds the developer of e-marketing stores to examine any kind of third-party plugins as they add to their story and these plugins can come with serve security, legal,privacy, and even business risks.

  • Snitch
  • Bliss Club 
  • Steve Madden 
  • The Tribe Concepts 
  • Mesmerize India 
  • By Invite Only 
  • Baesic World 
  • Fitville 
  • OneOne Swimwear
  • Binky Bro 
  • Off Duty India 

The leak also emphasizes the significance of mysterious information. The plugins collected almost all crucial data entered online by the user, including privileged details such as names, addresses, orders, and payment data.

List of shop using the affected plugins and their license tokens 

When Shopify claims to inspect plugins for security purposes, it seems to be tested evaluated unbolted infrastructure, leaving personal and confidential customer’s data  leaving private and sensitive customer data in peril . 
Cybernews connected to the affected stores and Shopify for a comment, but it's still unresponded.