I had a not-so-friendly guy message me (he does eCommerce too) with a picture of my products from my Shopify store, along with product names, price, and last sale date. I understand it's really easy to scrape a Shopify website (and not illegal) with a scraping tool to get information about the products, however it seemed odd that he was able to see my last sale date. He also mentioned that he had "backend" access to my store from his "friends", which I really doubted. As a precaution, I removed an inactive staff account, removed unused apps, and changed my Shopify password (2FA was already enabled from a couple of weeks before), and I also logged out of all devices. I also checked my private apps (I have one which I created to link in with my store program), which I also doubt anyone has access to besides myself. The only place the API key exists is on my personal machine. Also, note that I do have a screenshot of all of the data I mentioned above I received from him, I'd rather not send it here because it has product information on it.
My question is, is the last sale date metric he had access to something that can be scraped without having any access into the store? If so, how could this have possibly be done?
You took all the right steps to mitigate the risk of an actual account takeover.
If you think about it from their point of view - if the attacker actually had access to your store, do you think it would be wise to just disclose that to the true owner? A real hacker probably would work to swap out your payout bank with their own so they earn your profits. What does an attacker have to gain from giving away that they have access?
I agree, it's far more likely it's a scammer that is using a Shopify scraping tool to find this information from your store.
Unfortunately information is leakage is far more widespread than you think. Just because it's not in your store's legible HTML doesn't mean Shopify isn't accidentally leaking inventory or sales data. Most likely this scammer is trying to utilize far less damaging access to try and leverage you to act on fear.
I'll let Shopify give you a definitive answer - but Shopify if you have a bug bounty program to pay for white hats like myself to disclose what should be private information I'm happy to participate!
I'm not sure how they could scrape your last sale date. I know sometimes drop shippers use an old-school technique & will purchase from stores to see if they are worth scraping & reselling from. If they purchase the first & last day of month, then they can figure out how many sales you had that month since they'll have the order numbers. Maybe this guy purchased from you & is scraping you for drop shipping purposes, but it sounds like more of one those scammer emails that prey on fear.
I guess I should point out I'm the true owner, lol. It really sounds stupid, but I've known this guy personally before, it's as simple as he's not a very nice or mature guy. I will agree, I think the odds are that he's scraped the data off of my store via Shopify somehow, although the last sale date is a worrying metric. I guess his scraper could look for pixel code that gets activated, but not sure. I don't think he would have any intention of taking profits, as I know his company and him and that would wind him up in a courtroom with me at one side.
I did contact Shopify and all they could say for right now was take precautious by changing passwords on all accounts, enable 2FA, and check apps as well as private apps. I think, if there was a breach, it would have been mitigated at this point unless a backdoor script was somehow installed in the theme which I think not.
@Alison_Hess I agree, I don't think there's a way he could easily get the last sale date, accurately, for each and every product. So far Shopify didn't know why he could do that either. I never did get a purchase from him, and I do change my order numbers now and then to disrupt stuff like that.
If it makes you feel any better, a theme can't modify the true Shopify login page, so the only vector an injected malicious script has is to redirect you to another website that's themed to look exactly like the real login page.
So whenever you login, double check that you're on the official Shopify login URL : https://accounts.shopify.com/store-login
But scripts by app developers or theme developers cannot modify the real login page, so you're safe there.
When in doubt use a password manager, use unique passwords across all sites, enable 2FA and reset your passwords them frequently.
Thanks @BrandBuilder I have an app to reverse engineer now. Shopify must be leaking order details in the HTML/GraphQL or API on some pages and this app is exploiting that.