All things Shopify and commerce
Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue--and impact--so we could take action and notify the affected merchants.
Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.
This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.
Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.
To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.
- To learn more visit the Shopify Help Center or the Shopify Blog
What merchants are affected? Will you notify your merchants that are affected?
The first paragraph makes it seem like so.
It's a great time to look at GDPR Art. 33 & 34 and Recital 87:
https://gdpr-info.eu/art-33-gdpr/
https://gdpr-info.eu/art-34-gdpr/
https://gdpr-info.eu/recitals/no-87/
@lireille wrote:
What merchants are affected? Will you notify your merchants that are affected?
Hi @lireille,
All affected merchants have been contacted.
- To learn more visit the Shopify Help Center or the Shopify Blog
I was not notified.
@Allison-Claire wrote:
I was not notified.
Hi @Allison-Claire,
All impacted merchants have been contacted. If you did not receive an email your store(s) were not impacted by this incident.
- To learn more visit the Shopify Help Center or the Shopify Blog
I have a client using Shopify and her store was hacked two nights in a row (Monday and Tuesday night). Is this related or was data compromised in some other way?
@ElizabethAragao wrote:
I have a client using Shopify and her store was hacked two nights in a row (Monday and Tuesday night). Is this related or was data compromised in some other way?
Hi @ElizabethAragao,
All impacted merchants have been contacted. If your client did not receive an email their store(s) were not impacted by this incident.
If they have concerns about their store however please have them contact Shopify Support. Thanks.
- To learn more visit the Shopify Help Center or the Shopify Blog
Sounds like someone is getting their lookalike audiences and email lists ready for holidays... 😞
how are we going to know how many merchants were involved And how am I going to know that they affect me
@12munchi wrote:
how are we going to know how many merchants were involved And how am I going to know that they affect me
Hi @12munchi,
Less than 200 merchants were affected, and all affected merchants have been contacted.
- To learn more visit the Shopify Help Center or the Shopify Blog
What’s the country of the stores that were affected?
Hello,
I just received and email from Thrive cosmetics about the data breach and it makes sense now I know how my card number was stolen and used to charge up almost $5000 on it a few days ago! People keep an eye on your banking information it happens fast I am thankful to have a good bank who caught it early.
@Nem360 wrote:
Hello,
I just received and email from Thrive cosmetics about the data breach and it makes sense now I know how my card number was stolen and used to charge up almost $5000 on it a few days ago! People keep an eye on your banking information it happens fast I am thankful to have a good bank who caught it early.
Hi @Nem360,
No complete credit information was taken during this incident and therefore fraud and identity theft are unlikely. Thanks
- To learn more visit the Shopify Help Center or the Shopify Blog
Unlikely but never zero. I have been trying to figure out how it could have happened and this has answered it for me. The odds of it being another site vs this is slim unless you know of another site that wad hacked within the last 7days. But I do like how instead of just saying we are sorry or happy your bank caught it you go straight into denial thanks.
Same store to me Thrive cosmetics....
2 credit card fraud charges. So YES they had the cc info somehow
Shopify won't do anything but tell you "idenity theft was impossible". contact your bank, cancel the cards and get the charges removed thats all you can do.
The fraud accured before they announced it not before it happened. It takes companies sometimes days before they realize then they make the decision on whether or not to report it. In my case I can still see every dang charge these guys try on my now dead card. Last charge was Friday they attempted 4 LYFT charges. I tried contacting LYFT NOTHING! I just informes my bank, it's crazy how stealing a cars or identity theft is looked at like not even a big deal now a day.
@Nem360 is spot on. If you read the memo from Shopify closely, this is an internal breach where employees accessed personal data of customers. We are being notified after those employees were terminated and reported to authorities.
In my opinion, Shopify has an ethical obligation to pursue complaints from customers regarding potentially related fraud and also ensure it is reported to those same authorities which Shopify originally reported the incident to. Otherwise, law enforcement would not know true true extent of the issue and the bad actors in this case could get off the hook for crimes that went unreported.
I agree with you. Shopify should take into account your concern and include it into the investigation and then determine officially if it was or was not breached. According to Kylie's website, the breach occurred from August 15th to September 15th. https://www.kyliecosmetics.com/pages/faqs
From Kylie's website. I would take it into consideration.
"SECURITY FAQ'S
@fraudvictim @jasmd25 and @Nem360 - Hello, I just wanted to ask, did the charges occur with another Shopify merchant? The reason why I ask, is that these employees used "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.
@twinnii wrote:
The reason why I ask, is that these employees used "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.
Hi @twinnii,
The Orders API does not have the capability to perform credit card charges.
- To learn more visit the Shopify Help Center or the Shopify Blog
Mentioning that affected merchants were contacted is not sufficient.
You need to provide us with the list of Merchants that were subject to this fraud as we need to support our clients in a much more proactive manner.
Hi @michelq & @12munchi,
All impacted merchants have been contacted, and a listing of affected merchants cannot be provided.
If your client did not receive an email their store(s) were not impacted by this incident.
If they have concerns about their store however please have them contact Shopify Support.
Thanks.
- To learn more visit the Shopify Help Center or the Shopify Blog
I appreciate the immediate notification of affected stores and public announcement here of the issue. No business these days is completely immune, so it falls back to the old adage, "Customer service isn't about nothing ever going wrong - It's about how you handle it when it does." I appreciate Shopify's openness and prompt response to this issue. That gives me confidence that future issues will be handled just as well.
(My store wasn't affected, so I'm speaking just as a Shopify customer.)
I'm terribly worried and concerned about this incident
@jcmediahouse wrote:
I'm terribly worried and concerned about this incident
Hi @jcmediahouse,
Since becoming aware of the incident, Shopify has conducted a thorough investigation of the incident, immediately suspended the individuals’ access to our network, notified law enforcement, and engaged a third party digital forensics firm to conduct an independent investigation. Merchant trust and data security remain a top priority at Shopify, and we are committed to protecting our platform, our merchants, and their customers. Thanks!
- To learn more visit the Shopify Help Center or the Shopify Blog
I just had 2 cancel my credit card. I was one of those customers. Received an email from the online store and had 2 fraudulent charges on my credit card.
I am really concern about identity theft. Who should I contact about that?
Is the reason you can't ID merchants due to contractual privacy issues with them? I'm writing a blog post about this and I want to be accurate. Thanks!!!
Shopify, thank you for making (us) members aware of this incident, keeping us updated and reporting it to authorities. Hope the investigation goes well. Keep up the good work!
I know that Shopify staff are always aware of merchants. so, I want that Shopify staff would be taken action for affected merchants.
We recently spoke with Zopi developers @Zopi about how dropshipping businesses can enha...
By JasonH Oct 23, 2024A big shout out to all of the merchants who participated in our AMA with 2H Media: Holi...
By Jacqui Oct 21, 2024We want to take a moment to celebrate the incredible ways you all engage with the Shopi...
By JasonH Oct 15, 2024