Potential store security breach

BrandBuilder
Excursionist
16 2 1

Hello,

 

I had a not-so-friendly guy message me (he does eCommerce too) with a picture of my products from my Shopify store, along with product names, price, and last sale date. I understand it's really easy to scrape a Shopify website (and not illegal) with a scraping tool to get information about the products, however it seemed odd that he was able to see my last sale date. He also mentioned that he had "backend" access to my store from his "friends", which I really doubted. As a precaution, I removed an inactive staff account, removed unused apps, and changed my Shopify password (2FA was already enabled from a couple of weeks before), and I also logged out of all devices. I also checked my private apps (I have one which I created to link in with my store program), which I also doubt anyone has access to besides myself. The only place the API key exists is on my personal machine. Also, note that I do have a screenshot of all of the data I mentioned above I received from him, I'd rather not send it here because it has product information on it. 

 

My question is, is the last sale date metric he had access to something that can be scraped without having any access into the store? If so, how could this have possibly be done?

Thanks.

0 Likes
dylanpierce
Shopify Partner
85 0 20

Hi @BrandBuilder 

You took all the right steps to mitigate the risk of an actual account takeover.

If you think about it from their point of view - if the attacker actually had access to your store, do you think it would be wise to just disclose that to the true owner? A real hacker probably would work to swap out your payout bank with their own so they earn your profits. What does an attacker have to gain from giving away that they have access?

I agree, it's far more likely it's a scammer that is using a Shopify scraping tool to find this information from your store.

Unfortunately information is leakage is far more widespread than you think. Just because it's not in your store's legible HTML doesn't mean Shopify isn't accidentally leaking inventory or sales data. Most likely this scammer is trying to utilize far less damaging access to try and leverage you to act on fear.

I'll let Shopify give you a definitive answer - but Shopify if you have a bug bounty program to pay for white hats like myself to disclose what should be private information I'm happy to participate!

Founder of Verdict - Anti-Fraud Apps for Shopify
  • Blockade - Easily block countries, IP addresses, VPNs
  • Real ID - Verify your customer's real IDs easily & securely
0 Likes
Alison_Hess
Excursionist
17 0 4

I'm not sure how they could scrape your last sale date. I know sometimes drop shippers use an old-school technique & will purchase from stores to see if they are worth scraping & reselling from. If they purchase the first & last day of month, then they can figure out how many sales you had that month since they'll have the order numbers. Maybe this guy purchased from you & is scraping you for drop shipping purposes, but it sounds like more of one those scammer emails that prey on fear.

0 Likes
BrandBuilder
Excursionist
16 2 1

@dylanpierce 

I guess I should point out I'm the true owner, lol. It really sounds stupid, but I've known this guy personally before, it's as simple as he's not a very nice or mature guy. I will agree, I think the odds are that he's scraped the data off of my store via Shopify somehow, although the last sale date is a worrying metric. I guess his scraper could look for pixel code that gets activated, but not sure. I don't think he would have any intention of taking profits, as I know his company and him and that would wind him up in a courtroom with me at one side. 

I did contact Shopify and all they could say for right now was take precautious by changing passwords on all accounts, enable 2FA, and check apps as well as private apps. I think, if there was a breach, it would have been mitigated at this point unless a backdoor script was somehow installed in the theme which I think not.

0 Likes
BrandBuilder
Excursionist
16 2 1

@Alison_Hess I agree, I don't think there's a way he could easily get the last sale date, accurately, for each and every product. So far Shopify didn't know why he could do that either. I never did get a purchase from him, and I do change my order numbers now and then to disrupt stuff like that. 

0 Likes
dylanpierce
Shopify Partner
85 0 20

@BrandBuilder 

If it makes you feel any better, a theme can't modify the true Shopify login page, so the only vector an injected malicious script has is to redirect you to another website that's themed to look exactly like the real login page.

So whenever you login, double check that you're on the official Shopify login URL : https://accounts.shopify.com/store-login

CleanShot 2021-02-09 at 12.06.02@2x.png

 

But scripts by app developers or theme developers cannot modify the real login page, so you're safe there.

When in doubt use a password manager, use unique passwords across all sites, enable 2FA and reset your passwords them frequently.

Founder of Verdict - Anti-Fraud Apps for Shopify
  • Blockade - Easily block countries, IP addresses, VPNs
  • Real ID - Verify your customer's real IDs easily & securely
0 Likes
BrandBuilder
Excursionist
16 2 1

@dylanpierce Good news, I found out the app. It's a chrome extension called AliHunter, and it was able to pull up my last sale date with the click of a button. How it got that info, I don't know, but it's free and there's nothing to do besides go to a shopify site and see. 

dylanpierce
Shopify Partner
85 0 20

Thanks @BrandBuilder I have an app to reverse engineer now. Shopify must be leaking order details in the HTML/GraphQL or API on some pages and this app is exploiting that.


Founder of Verdict - Anti-Fraud Apps for Shopify
  • Blockade - Easily block countries, IP addresses, VPNs
  • Real ID - Verify your customer's real IDs easily & securely
0 Likes
BrandBuilder
Excursionist
16 2 1

@dylanpierce Let me know what you find, and I think this should be brought up to Shopify. Last order dates should definitely not be information that's leaked from a store.

0 Likes