Re: Incident Update

What happened in the recent data incident involving less than 200 Shopify merchants?

Shopify
Community Manager
203 5 269

Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue--and impact--so we could take action and notify the affected merchants.

Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.

This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.

Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.

To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

Replies 33 (33)

lireille
Visitor
1 0 1

What merchants are affected? Will you notify your merchants that are affected? 

marctrem
Visitor
1 0 2

The first paragraph makes it seem like so.

It's a great time to look at GDPR Art. 33 & 34 and Recital 87:

https://gdpr-info.eu/art-33-gdpr/
https://gdpr-info.eu/art-34-gdpr/
https://gdpr-info.eu/recitals/no-87/

 

Shopify
Community Manager
203 5 269

@lireille wrote:

What merchants are affected? Will you notify your merchants that are affected? 


Hi @lireille

All affected merchants have been contacted.

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

Allison-Claire
Visitor
1 0 0

I was not notified.

Shopify
Community Manager
203 5 269

@Allison-Claire wrote:

I was not notified.


Hi @Allison-Claire,

All impacted merchants have been contacted. If you did not receive an email your store(s) were not impacted by this incident.

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

ElizabethAragao
Shopify Partner
1 0 0

I have a client using Shopify and her store was hacked two nights in a row (Monday and Tuesday night). Is this related or was data compromised in some other way? 

Shopify
Community Manager
203 5 269

@ElizabethAragao wrote:

I have a client using Shopify and her store was hacked two nights in a row (Monday and Tuesday night). Is this related or was data compromised in some other way? 


Hi @ElizabethAragao

All impacted merchants have been contacted. If your client did not receive an email their store(s) were not impacted by this incident. 

If they have concerns about their store however please have them contact Shopify Support. Thanks.

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

imnotarobotboop
Visitor
1 0 0

Sounds like someone is getting their lookalike audiences and email lists ready for holidays... 😞 

12munchi
Visitor
2 0 1

how are we going to know how many merchants were involved And how am I going to know that they affect me

Shopify
Community Manager
203 5 269

@12munchi wrote:

how are we going to know how many merchants were involved And how am I going to know that they affect me


Hi @12munchi

Less than 200 merchants were affected, and all affected merchants have been contacted.

 

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

pjp
Visitor
2 0 1

What’s the country of the stores that were affected?

Nem360
Tourist
4 0 4

Hello,

I just received and email from Thrive cosmetics about the data breach and it makes sense now I know how my card number was stolen and used to charge up almost $5000 on it a few days ago! People keep an eye on your banking information it happens fast I am thankful to have a good bank who caught it early.

Shopify
Community Manager
203 5 269

@Nem360 wrote:

Hello,

I just received and email from Thrive cosmetics about the data breach and it makes sense now I know how my card number was stolen and used to charge up almost $5000 on it a few days ago! People keep an eye on your banking information it happens fast I am thankful to have a good bank who caught it early.


Hi @Nem360

No complete credit information was taken during this incident and therefore fraud and identity theft are unlikely. Thanks

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

Nem360
Tourist
4 0 4

Unlikely but never zero. I have been trying to figure out how it could have happened and this has answered it for me. The odds of it being another site vs this is slim unless you know of another site that wad hacked within the last 7days.  But I do like how instead of just saying we are sorry or happy your bank caught it you go straight into denial thanks.

jasmd25
Visitor
2 0 3

Same store to me Thrive cosmetics.... 

2 credit card fraud charges. So YES they had the cc info somehow

Nem360
Tourist
4 0 4

Shopify won't do anything but tell you "idenity theft was impossible". contact your bank, cancel the cards and get the charges removed thats all you can do.

fraudvictim
Visitor
2 0 2
@jasmd25 and @Nem360 - the only Shopify store I used was Thrive Cosmetics and I am also a victim of fraud here. 

Originally it was fraud on one card I used to purchase items from Thrive, so I cancelled the card. Then, i switched to another card to buy more on Thrive and then that card got fraud on it as well. None of my other cards have fraud on them and the two impacted cards are from different banking institutions. So the likelihood that this is related here goes up in my book. 
 
 I recognize Shopify’s position that no credit card data was stolen, the fact that the only two cards I used on Shopify both had fraud before the time of this incident is too much of a coincidence to ignore. 
 
Often, what companies originally uncover in terms of a data breach turns out to be greater than originally thought. 
 
Shopify’s post mentions this incident has been reported to authorities. I would like the fraud on my credit cards reported to those same authorities and internally to Shopify management as this could indeed be a case where there is more than meets the eye. 

Posts about this from three separate users purchasing from the same Shopify store is more than just a coincidence. 
jrodak49
Visitor
2 0 0
I don’t understand. If the fraud occurred before the incident then how can it be related to this breach?
Nem360
Tourist
4 0 4

The fraud accured before they announced it not before it happened.  It takes companies sometimes days before they realize then they make the decision on whether or not to report it.  In my case I can still see every dang charge these guys try on my now dead card.  Last charge was Friday they attempted 4 LYFT charges.  I tried contacting LYFT NOTHING! I just informes my bank, it's crazy how stealing a cars or identity theft is looked at like not even a big deal now a day.

 

fraudvictim
Visitor
2 0 2

@Nem360 is spot on. If you read the memo from Shopify closely, this is an internal breach where employees accessed personal data of customers. We are being notified after those employees were terminated and reported to authorities. 

In my opinion, Shopify has an ethical obligation to pursue complaints from customers regarding potentially related fraud and also ensure it is reported to those same authorities which Shopify originally reported the incident to. Otherwise, law enforcement would not know true true extent of the issue and the bad actors in this case could get off the hook for crimes that went unreported. 

twinnii
Visitor
3 0 0

I agree with you. Shopify should take into account your concern and include it into the investigation and then determine officially if it was or was not breached. According to Kylie's website, the breach occurred from August 15th to September 15th. https://www.kyliecosmetics.com/pages/faqs

From Kylie's website. I would take it into consideration.

"SECURITY FAQ'S

  • What happened? 
    Kylie Cosmetics recently became aware of an information security incident suffered by our e-commerce vendor, Shopify. Although their investigation is ongoing, Shopify has shared that this incident involved two members of their customer support team that obtained transactional records related to certain merchants, including Kylie Cosmetics.

    Kylie Cosmetics is committed to protecting the security of our customers’ information and was deeply disappointed to learn that Shopify’s incident affected some of our customers. Upon learning of this incident Kylie Cosmetics promptly initiated an investigation into the incident and has communicated extensively with Shopify to learn more about what occurred. Shopify has informed us that it engaged an outside forensic investigation firm to assist them in investigating and remediating the situation and has reported the incident to the FBI and other international agencies and are working with law enforcement in their investigation of this incident.

    We recognize the importance of protecting the privacy and security of our guests’ information and we are continuing to work diligently with Shopify to get additional information about this incident and their investigation and response to this matter. 

  • When did this happen? 
    Based on the information we have received from Shopify, it appears that this incident occurred between August 15 and September 15, 2020."
twinnii
Visitor
3 0 0

@fraudvictim @jasmd25 and @Nem360 - Hello, I just wanted to ask, did the charges occur with another Shopify merchant? The reason why I ask, is that these employees used  "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.

Shopify
Community Manager
203 5 269

@twinnii wrote:

The reason why I ask, is that these employees used  "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.


Hi @twinnii,

The Orders API does not have the capability to perform credit card charges. 

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

michelq
Shopify Partner
1 0 1

Mentioning that affected merchants were contacted is not sufficient.

You need to provide us with the list of Merchants that were subject to this fraud as we need to support our clients in a much more proactive manner. 

12munchi
Visitor
2 0 1
Yes I would like this list to I’m not sure who I bought with that is supported by the shop to five so I would like a list of merchants that was compromised as well
Shopify
Community Manager
203 5 269

Hi @michelq & @12munchi,

All impacted merchants have been contacted, and a listing of affected merchants cannot be provided.

If your client did not receive an email their store(s) were not impacted by this incident.

If they have concerns about their store however please have them contact Shopify Support.

Thanks.

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

Eleda_Towle
Shopify Partner
12 0 6

I appreciate the immediate notification of affected stores and public announcement here of the issue.  No business these days is completely immune, so it falls back to the old adage, "Customer service isn't about nothing ever going wrong - It's about how you handle it when it does."  I appreciate Shopify's openness and prompt response to this issue. That gives me confidence that future issues will be handled just as well.

(My store wasn't affected, so I'm speaking just as a Shopify customer.)

jcmediahouse
Tourist
6 0 1

I'm terribly worried and concerned about this incident

Shopify
Community Manager
203 5 269

@jcmediahouse wrote:

I'm terribly worried and concerned about this incident


Hi @jcmediahouse

Since becoming aware of the incident, Shopify has conducted a thorough investigation of the incident, immediately suspended the individuals’ access to our network, notified law enforcement, and engaged a third party digital forensics firm to conduct an independent investigation. Merchant trust and data security remain a top priority at Shopify, and we are committed to protecting our platform, our merchants, and their customers. Thanks!

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

jasmd25
Visitor
2 0 3

I just had 2 cancel my credit card. I was one of those customers. Received an email from the online store and had 2 fraudulent charges on my credit card.

I am really concern about identity theft. Who should I contact about that?

jrodak49
Visitor
2 0 0

Is the reason you can't ID merchants due to contractual privacy issues with them? I'm writing a blog post about this and I want to be accurate. Thanks!!!

lovica
Explorer
71 11 17

Shopify, thank you for making (us) members aware of this incident, keeping us updated and reporting it to authorities. Hope the investigation goes well. Keep up the good work!

 

Tasmimahossain
Visitor
2 0 0

I know that Shopify staff are always aware of merchants. so, I want that Shopify staff would be taken action for affected merchants.