"Rogue" Shopify Employees Access Customer Data

Giulio Saggin

Tuesday 28 November 2023

Two rogue Shopify support team have been caught accessing customer transaction details and other data from around 200 online merchants.

Thankfully, the data stolen 'only' included contact information such as email addresses, names and physical addresses, as well as order details pertaining to products and services purchased.

"Complete payment card numbers or other sensitive personal or financial information were not part of this incident," said Shopify via a statement, adding that they "do not have evidence of the data being utilized".

Shopify immediately terminated the employees' access to their network and are working with the FBI and other international agencies as part of the investigation into the incident.

The affected merchants have been notified and Shopify is working with them to address the issue and any of their concerns.

Never miss a vulnerability like this again

Apple Rushes Out Security Updates to Address Exploited iOS Zero-Days

Microsoft Releases Patches for 73 Security Flaws, Including Two Zero-Days Under Active Exploitation

Critical Vulnerability Discovered in Fortinet FortiOS Devices

Critical: RCE Vulnerability in Confluence Data Center and Server

Google Fixes Chrome Zero-Day Exploited In The Wild

Security Vulnerability in MLflow Puts Servers at Risk

Apple Rolls Out Extensive Security Updates Across Devices

Features

Why You Need Real-Time Vulnerability Alerts As Your First Line of Defence in Data Protection

Why Every Organisation Needs Real-Time Cybersecurity Alerts

Analysis of CVE-2019-13602: VLC Media Player Integer Underflow

Five Billion Records And Counting ... Why 2023 Was A Big Year For Cyber Breaches

What is PCI DSS Requirement 6.1?

There are 12 PCI DSS Requirements that need to be met to attain PCI compliance. One of those, Requirement 6, ensures that an entity has its software protected by up-to-date "vendor-provided security patches".

What is PCI DSS Requirement 6?

The official explanation of PCI DSS Requirement 6 is summed up as "Develop and maintain secure systems and applications". In other words, an entity attaining PCI compliance needs to have its software protected by up-to-date "vendor-provided security patches".

What is an Approved Scanning Vendor (ASV)?

Discover the Complexities Behind PCI Compliance: Unraveling the Critical Role of External Scans, Internal Vulnerability Checks, and the Cruciality of Requirement 6.1 in Cybersecurity. Explore how ASVs and Services like SecAlerts Play Key Roles in This Compliance Puzzle!

What is a zero-day?

A zero-day refers to a vulnerability in software or hardware that is unknown to the vendor or the public. It's called "zero-day" because once it's discovered, attackers can exploit it immediately, leaving zero days for the vendor to fix it.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.