Security Advice - HACKED PLEASE HELP URGENT

Tourist
8 0 1

Hey guys and gals,

 

I am in a big slump here. Here's what my stores current situation looks like.

 

We switched over to Shopify at the end of Jan. We are currently paying for the middle 80$ plan + us buying 1000$ worth of hardware. We switched over from Moneris because we had the problem of getting hacked and hours and hours of work and thousands of product uploads deleted. I eventually convinced the owner after many hours of convincing to make the switch to Shopify and buy all the hardware.

 

Now we switched to Shopify, advanced security, well known online platform, thousands of users. 2 weeks in and we get hacked again. All products over the first 2 weeks of uploading deleted. Probably only about 100hrs of paid work which isn't as bad as Moneris which was over 1000+ hours of work deleted.

 

Anyways, okay hacked again its bad but lets think about the solutions.

 

So we call Shopify. We are told to add the 2 step verification step that texts you a code. We do that right away.

 

Next day we spend the first 8 hours uploading our products back and fixing our store. Guess what happens next? Hacked again.

 

With the 2 step verification process enabled the hacker was still able to get into the Shopify account and delete all our items and mess up the full layout of our shop.

 

We call Shopify.

 

We are told they have never seen this and I feel like we are getting the run around with them.

 

We were very excited to switch to Shopify and start to build an online presence with our shop. We also have a brick and mortar 5000sq ft shop and do a lot of volume so we need to be sure we can trust the system we are using. It would power the in store and online store so all the inventory would be synced.

 

Now, the owner of the shop I manage has told me if we don't get an answer from Shopify this week he wants to pack everything up and cancel the plan as we cannot use it. If we cant get re assurance that we wont get hacked again or an answer to why this is happening then how are we supposed to confidently upload our inventory which is thousands and thousands of products just at the chance of all that work deleted.

 

We have never even made an online sale with Shopify and we are a target and there's no answer. What happens if this hacking happened to a big account of Shopify's that does millions of dollars in sales. They would get no answer. That seems like insanity just typing it out. How could that even be possible.

 

On the 3 instances we got hacked we have the time of the hack, the IP address which is not VPN protected, the device and on top of that we got an e-mail the first time we got hacked asking if this was us signing in because it was from an unusual device and we clicked "no". After that we got hacked 2 more times from the same IP. You think selecting that would at least block that IP. But apparently saying "no" this isn't me signing into my account doesn't alert Shopify or stop that person it does nothing.

 

I don't know what I am hoping to get from this post. Maybe, just an answer. Or it will be seen by the right team member of Shopify. We want to stick with Shopify but not sure how at this point.

 

We have contacted police, lawyers, started a small claims case and are working on this at our end. Looking for any additional help at this point.

 

Thank you.

0 Likes
Tourist
8 0 1

EMAIL I JUST RECEIVED FROM SHOPIFY TEAM MEMBER:

 

"Hi Mitch,

Thank you for your reply,

 

This is just a quick email to update you on our investigation surrounding the reported unauthorised activity on your Shopify account.

 

Upon discovery of the original compromise of the account, we partnered with our security team to look into the event. Part of our standard process when securing an account that has potentially experienced a compromise is to work with our merchants to enable 2 step authentication. By working with us to secure the account, including enabling 2 step authentication, we were able to protect your account against any subsequent unauthorized login attempts.

 

This, however, did not apply to any users currently logged in as those sessions remained authenticated.

At this time, we can assure you that your account is secure and that the only people able to access the account and make changes will be yourself and whoever you give express permission to.

In light of this, we have taken steps to review our processes when it comes to potentially compromised accounts. In order to take further precautions in the future, we will be including a more thorough approach, ensuring that all users are automatically logged out upon the initial report of unauthorized access.

 

I appreciate your patience and co-operation while we investigated this matter on your behalf.

Thank you and if you have any further questions please let me know by replying directly to this email and I will be happy to help,

 

thanks,"

 

----------------------------------------------------------------------------------------------------------------------------

 

I do not understand.

 

"By working with us to secure the account, including enabling 2 step authentication, we were able to protect your account against any subsequent unauthorized login attempts. "

 

This is just simply not true as I was still hacked once this was activated.

 

"This, however, did not apply to any users currently logged in as those sessions remained authenticated. "

 

No users were logged in beforehand when i got hacked. It happened the next day after I had clicked the Shopify option to log everyone out the day before. Also I had the 2 step activated at this point. It was a brand new login.

 

I feel like they aren't even listening to me or looking into the account.

 

..

 

 
 
 
0 Likes
Shopify Staff (Retired)
Shopify Staff (Retired)
43 6 11

Hello, there.

Anders from the Shopify Social Care team here.

 

First off, thank you for sharing our experience here. The integrity, and most importantly, security of our platform is one of our highest priorities. By the sounds of the email, you've been speaking with our Accounts Integrity team which specifically handle these situations - so that's good. I realize how deeply concerning a compromised account can be, so given the sensitive nature of the issue, I highly encourage you to reply directly to our team's email to ensure a quick path to a resolution, as well as minimizing any other potential security risks. 

 

With the context I have about the issue, is it possible you or the owner had a business relationship with a former partner or employee that ended poorly who may still have access to a device (mobile, laptop etc.) used by the business? If so, I would definitely make sure to include those details in an email sent back to our Account Integrity team.

 

I truly hope for a quick resolution but continuing to speak with our Account Integrity team via email will be the best, and most secure, option going forward.

Anders | Social Care @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

1 Like
Tourist
8 0 1

 

" I highly encourage you to reply directly to our team's email to ensure a quick path to a resolution, as well as minimizing any other potential security risks. "

 

I do reply through e-mail which usually takes the Shopify security team 3 days to come up with the same answer they originally had 3 days before.

 

" With the context I have about the issue, is it possible you or the owner had a business relationship with a former partner or employee that ended poorly who may still have access to a device (mobile, laptop etc.) used by the business? If so, I would definitely make sure to include those details in an email sent back to our Account Integrity team. "

 

It could be a past employee but it doesn't explain how they by pass the 2 step authentication process. Its not like they have the business owners cell phone to confirm the pass code.

 

---------------------------

 

I do appreciate you taking the time to respond to this. How do they keep getting in through the same IP address and without confirming the passcode for the 2 step process.

 

We are just told over and over again to enable the 2 step authentication process. Which was enabled the last 2 times we were hacked.

 

 

0 Likes
Tourist
8 0 1

Okay, so i just tried to login through the owners account and I got the 2 step process screen like i should have.

 

BUT

 

in the options below i see "use a recovery code" - " Enter a 12–character recovery code that you previously downloaded and saved."

 

Now I am logged in I see the 2 step is enabled. Code delivery method is only SMS. No backup phone enabled.

 

Then I see;

" If you lose your mobile device, or don’t have it with you, a recovery code is the only way to log in to your account when two-step authentication is enabled. "

 

Maybe the hacker has this code. How can I disable this? How come the 10 times I called Shopify this was never brought up? Wouldn't you think once I said my account has been hacked and the hacker didn't have the cellphone attached to the account then that would be the first thing they should have thought of, no? Maybe they have the code. Baffling it never got brought up with my countless calls and emails back and forth with Shopify.

 

I am not 100 percent that is how they are getting in but it seems like one of the only ways.

 

I guess thats the front runner for how they are getting into the account. This extra security code.

0 Likes
Tourist
8 0 1

I cant believe the recovery codes were never brought to my attention by the Shopify team.

 

One Shopify team member and I kid you not suggested the ex employee had set up mirrors within the store pointing at the keyboard and screen to see what we type. Honestly, sounds like the guy watched to much Mission Impossible.

 

It seems like the first time without the 2FA he just got a lucky guess at the pass ( maybe ? ) . Then after that probably grabbed the codes. Do you know if the recovery codes are available before you set up 2FA? With the codes you get 10 codes that you can use one time each.

The police are coming tomorrow. Not sure how much help they will be but it seems like the IP was not VPN protected says our computer guy. Which he says is a good thing.

Submitting an IC3 now.

0 Likes
Shopify Staff (Retired)
Shopify Staff (Retired)
43 6 11

Thanks for the updates here.

 

The backup codes are not made available until after 2FA is set up. Unless this individual was present during the initial 2FA process, I really don't believe they would have had access to these codes. Whenever a code is used, our system also tracks when it happens. This is a very odd case but I'm sure our support staff was only trying to offer a possible explanation. The other strange factor in all of this that the behavior of the individual doesn't reflect typical fraudulent patterns. Usually, when an individual gains access to a service, sensitive information such as billing and banking information will be downloaded, rerouted or changed. Products being deleted and the theme layout being 'messed' with isn't typical of an attacker, which again, leads to the very odd nature of this event.

 

All that aside, I have heard word that our Account Integrity team is continuing to look into this issue and will provide you with an update via email once they have one. In the meantime, feel free to provide any further updates here but please do take care to not reveal too much as this is a public forum and I wouldn't want for you to run into another security risk. Any sensitive account conversations should be kept to our secure email system. Thank you. 

Anders | Social Care @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

0 Likes
Tourist
8 0 1

Yeah its really stange how they got in the next day then once 2FA was activated. They were in before but no codes were available to copy.

 

The 2nd time they got in we didnt get an update to say hey is this you signing in or even a text message to confirm the 2FA.

 

It is exactly what this hacker wanted to do. We are sure it is a past employee who just wants to go in and delete all of our work. Hes really a sick indivual. He doesnt want credit card numbers because he knows we know its him. So he doesnt want to go that far.

 

The hacker just wants to delete hours upon hours of work. We talked to Police they said yes a criminal investigation has been opened and Shopify is involved. I would suggest a member of the security team to jump on a phone call with us but they wont. 

 

The last e-mail from Shopify was pretty much saying the case is closed and that as long as 2FA is active then we are all good. Which isn't a true statement since we got hacked since then. No word of blocking an IP address, nothing...

 

Unless you have an update on my situation Anders that would be fantastic as I haven't heard anything in a few days and since talking to Police and giving them the chat log with Shopify I think someone should be calling to check in on the hacking situation we are dealing with before this goes more public now especially with police and IC3 involved, we dont want this to get to public about Shopifys flawed security. 

0 Likes