{"id":24847,"date":"2024-07-08T12:10:33","date_gmt":"2024-07-08T20:10:33","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/07\/08\/news-18577\/"},"modified":"2024-07-08T12:10:33","modified_gmt":"2024-07-08T20:10:33","slug":"news-18577","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/07\/08\/news-18577\/","title":{"rendered":"Shopify says stolen customer data was taken in third-party breach"},"content":{"rendered":"\n<p>Shopify has <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/shopify-denies-it-was-hacked-links-stolen-data-to-third-party-app\/\">denied a breach<\/a> of its systems after a cybercriminal posted alleged Shopify customer details online.<\/p>\n<p>Shopify told BleepingComputer and other publications that the incident happened at a third party:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;Shopify systems have not experienced a security incident. The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.&#8221;<\/p>\n<\/blockquote>\n<p>The cybercriminal posting under the handle \u201c888\u201d claims the breach took place in 2024 and contains 179,873 rows of users\u2019 information.<\/p>\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" width=\"1258\" height=\"671\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/07\/BreachForums_fecf2c.png\" alt=\"BreachForums post by 888 about Shopify\" class=\"wp-image-113321\" style=\"width:700px\" \/><figcaption class=\"wp-element-caption\">Post by 888 offering Shopify data for sale<\/figcaption><\/figure>\n<p>The data offered for sale includes:<\/p>\n<ul>\n<li>Shopify ID<\/li>\n<li>First name<\/li>\n<li>Last name<\/li>\n<li>Email address<\/li>\n<li>Mobile phone number<\/li>\n<\/ul>\n<p>It also includes some Shopify specific data like number of orders, total spent, email subscription status, email subscription date, SMS subscription status, and SMS subscription date.<\/p>\n<p>Where the data comes from is a good question.<\/p>\n<p>In March, Cybernews <a href=\"https:\/\/cybernews.com\/security\/shopify-plugins-data-leak-saara\/\">reported<\/a> about a publicly accessible MongoDB database that belonged to a US-based company, Saara, who develop Shopify plugins. The leaked database stored 25GB of data which stemmed from plugins covering over 1,800 Shopify stores.<\/p>\n<p>In June, we <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/06\/federal-reserve-breached-data-may-actually-belong-to-evolve-bank\">reported<\/a> about a breach affecting Evolve Bank &amp; Trust that also affected several of its <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/07\/affirm-says-evolve-bank-data-breach-also-compromised-some-of-its-customers\">partners<\/a>. Shopify is a partner of Evolve.<\/p>\n<p>No doubt this isn&#8217;t the end of the story. We will keep you updated.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-protecting-yourself-after-a-data-breach\">Protecting yourself after a data breach<\/h2>\n<p>There are some actions you can take if you are, or suspect you may have been, the <a href=\"https:\/\/www.malwarebytes.com\/blog\/personal\/2023\/09\/involved-in-a-data-breach-heres-what-you-need-to-know\">victim of a data breach<\/a>.<\/p>\n<ul>\n<li><strong>Check the vendor&#8217;s advice.<\/strong> Every breach is different, so check with the vendor to find out what&#8217;s happened, and follow any specific advice they offer.<\/li>\n<li><strong>Change your password.<\/strong> You can make a stolen password useless to thieves by changing it. Choose a&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.malwarebytes.com\/computer\/how-to-create-a-strong-password\" target=\"_blank\">strong password<\/a>&nbsp;that you don&#8217;t use for anything else. Better yet, let a&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.malwarebytes.com\/what-is-password-manager\" target=\"_blank\">password manager<\/a>&nbsp;choose one for you.<\/li>\n<li><strong>Enable two-factor authentication (2FA).<\/strong> If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.malwarebytes.com\/glossary\/multi-factor-authentication-mfa\" target=\"_blank\">two-factor authentication (2FA)<\/a>&nbsp;can be phished just as easily as a password. 2FA that relies on a FIDO2 device can\u2019t be phished.<\/li>\n<li><strong>Watch out for fake vendors.<\/strong> The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the&nbsp;identity of anyone who contacts you&nbsp;using a different communication channel.<\/li>\n<li><strong>Take your time.<\/strong> Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.<\/li>\n<li><strong>Consider not storing your card details<\/strong>. It&#8217;s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.<\/li>\n<li><strong>Set up identity monitoring.<\/strong> <a href=\"https:\/\/go.cyrus.app\/MN4j\/fkkekmw9\" target=\"_blank\" rel=\"noreferrer noopener\">Identity monitoring<\/a> alerts you if your personal information is found being traded illegally online, and helps you recover after.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"h-check-your-digital-footprint\">Check your digital footprint<\/h2>\n<p>Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it\u2019s best to give the one you most frequently use) to our&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/digital-footprint\">free Digital Footprint scan<\/a>&nbsp;and we\u2019ll give you a report and recommendations.<\/p>\n<div class=\"wp-block-malware-bytes-button mb-button\" id=\"mb-button-7ba16f0b-04e8-4679-9512-2f21a0971dcf\">\n<div class=\"mb-button__row u-justify-content-center\">\n<div class=\"mb-button__item mb-button-item-0\">\n<p class=\"btn-main\"><a href=\"https:\/\/www.malwarebytes.com\/digital-footprint?utm_source=blog&amp;utm_medium=social&amp;utm_campaign=b2c_pro_acq_fy25dfplaunch_171269600960&amp;utm_content=V1\"><\/a><a href=\"https:\/\/www.malwarebytes.com\/digital-footprint\">SCAN NOW<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/07\/shopify-says-stolen-customer-data-was-taken-in-third-party-breach\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> Shopify has denied it has suffered a breach, saying the stolen data comes from a third-party provider that will notify affected customers. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[32,5897,31621,19516],"class_list":["post-24847","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-news","tag-privacy","tag-shopify","tag-third-party-login"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24847"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24847\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}