Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue--and impact--so we could take action and notify the affected merchants.
Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.
This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.
Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.
To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.
I'm terribly worried and concerned about this incident
Since becoming aware of the incident, Shopify has conducted a thorough investigation of the incident, immediately suspended the individuals’ access to our network, notified law enforcement, and engaged a third party digital forensics firm to conduct an independent investigation. Merchant trust and data security remain a top priority at Shopify, and we are committed to protecting our platform, our merchants, and their customers. Thanks!
I just had 2 cancel my credit card. I was one of those customers. Received an email from the online store and had 2 fraudulent charges on my credit card.
I am really concern about identity theft. Who should I contact about that?
Shopify won't do anything but tell you "idenity theft was impossible". contact your bank, cancel the cards and get the charges removed thats all you can do.
Is the reason you can't ID merchants due to contractual privacy issues with them? I'm writing a blog post about this and I want to be accurate. Thanks!!!
The fraud accured before they announced it not before it happened. It takes companies sometimes days before they realize then they make the decision on whether or not to report it. In my case I can still see every dang charge these guys try on my now dead card. Last charge was Friday they attempted 4 LYFT charges. I tried contacting LYFT NOTHING! I just informes my bank, it's crazy how stealing a cars or identity theft is looked at like not even a big deal now a day.
Shopify, thank you for making (us) members aware of this incident, keeping us updated and reporting it to authorities. Hope the investigation goes well. Keep up the good work!
@Nem360 is spot on. If you read the memo from Shopify closely, this is an internal breach where employees accessed personal data of customers. We are being notified after those employees were terminated and reported to authorities.
In my opinion, Shopify has an ethical obligation to pursue complaints from customers regarding potentially related fraud and also ensure it is reported to those same authorities which Shopify originally reported the incident to. Otherwise, law enforcement would not know true true extent of the issue and the bad actors in this case could get off the hook for crimes that went unreported.
I agree with you. Shopify should take into account your concern and include it into the investigation and then determine officially if it was or was not breached. According to Kylie's website, the breach occurred from August 15th to September 15th. https://www.kyliecosmetics.com/pages/faqs
From Kylie's website. I would take it into consideration.
@fraudvictim @jasmd25 and @Nem360 - Hello, I just wanted to ask, did the charges occur with another Shopify merchant? The reason why I ask, is that these employees used "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.
The reason why I ask, is that these employees used "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.
Have you created a collection on your online store and experienced an issue with adding yo...By Ollie Aug 24, 2022