Security issues - My Shopify account is hacked

Security issues - My Shopify account is hacked

BM1212
Visitor
1 0 0

Dear Shopify Support Team,

 

My shopify account has been hacked, and the hacker removed the description from the product page and messed with the set product weight which has caused issues with the shipping prices at the checkout page. This incident happened immediately after the collaborator code was given out to the theme's support team member. 

 

I raised a query to the Theme support team who assigned a support team member to resolve the query.  As per the users & permission section of shopify, the support person never logged in to my account since the code was given out. Now the question is whether he shared the code with someone else or the email got hacked. 

 

Since yesterday, I have changed my password a couple of times, but the hacker is still getting into my account and keep changing the contents. The most recent one is "Description removed" which I noticed a couple of hours ago.

 

Is it possible to play with the contents through theme's code without getting into shopify?

Please can you investigate how my site was hacked, and what steps I should take to protect it. 

 

Regards,

Replies 2 (2)

StephensWorld
Shopify Partner
1398 174 364

I'd recommend taking a look at your Users & Permissions section within the Shopify admin. 

 

Admin > Settings > Users and permissions

 

It'll list everyone who has a staff account or a collaborator account. It'll also tell you when they last logged in. You can remove access (delete the account) to anyone who shouldn't have access to your store, or to someone who you think might have their access compromised. 

 

You can also look at the 'store activity log'. 

 

Admin > Settings > Store Activity Log

 

This will tell you who made the most recent changes. If the changes are coming from your account, then you'll know it's your logins that are being compromised. If they're coming from one of your staff members or a collaborator account, then you can remove their access (via the steps above) to prevent any further changes. 

 

One last thing you can look at is your 'custom apps'. 

 

Admin > Apps > App and sales channel settings > Develop apps. 

 

If you have any custom apps listed here, that you don't recognize, then you can remove them, to prevent access to your store. If you don't have any custom apps, then you'll see a page with a button saying "allow custom app development" (don't click this) and you'll be able to rule this out as a potential source of the breach. 

 

To answer your main question directly:

 

"Is it possible to play with the contents through theme's code without getting into shopify?"

 

No, it's not possible to gain access to the Shopify admin, via coding added to the theme, but it is possible to have coding in the theme which would change how descriptions are shown on the frontend (customer facing site) ... though the descriptions wouldn't be affected in the back-end admin, so you can check some products within the admin to find out if it's the products being affected, or if the theme just isn't displaying the descriptions correctly. 

 

I wish you the best of luck with sorting this out, and I hope the above helps a bit! 🙂

★ Did my post help? If yes, then please like and accept solution. ★

https://stephens.world
[email protected]

sanjayagrawal12
Visitor
1 0 0

Is there any way to plan a backup before it get hacked?