FROM CACHE - en_header

Incident Update

Shopify
Community Manager
Community Manager
129 0 99

Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue--and impact--so we could take action and notify the affected merchants.

Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.

This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.

Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.

To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

Replies 33 (33)
Shopify
Community Manager
Community Manager
129 0 99

@jcmediahouse wrote:

I'm terribly worried and concerned about this incident


Hi @jcmediahouse

Since becoming aware of the incident, Shopify has conducted a thorough investigation of the incident, immediately suspended the individuals’ access to our network, notified law enforcement, and engaged a third party digital forensics firm to conduct an independent investigation. Merchant trust and data security remain a top priority at Shopify, and we are committed to protecting our platform, our merchants, and their customers. Thanks!

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog

jasmd25
New Member
2 0 3

I just had 2 cancel my credit card. I was one of those customers. Received an email from the online store and had 2 fraudulent charges on my credit card.

I am really concern about identity theft. Who should I contact about that?

jasmd25
New Member
2 0 3

Same store to me Thrive cosmetics.... 

2 credit card fraud charges. So YES they had the cc info somehow

Nem360
Tourist
4 0 4

Shopify won't do anything but tell you "idenity theft was impossible". contact your bank, cancel the cards and get the charges removed thats all you can do.

jrodak49
New Member
2 0 0

Is the reason you can't ID merchants due to contractual privacy issues with them? I'm writing a blog post about this and I want to be accurate. Thanks!!!

fraudvictim
New Member
2 0 2
@jasmd25 and @Nem360 - the only Shopify store I used was Thrive Cosmetics and I am also a victim of fraud here. 

Originally it was fraud on one card I used to purchase items from Thrive, so I cancelled the card. Then, i switched to another card to buy more on Thrive and then that card got fraud on it as well. None of my other cards have fraud on them and the two impacted cards are from different banking institutions. So the likelihood that this is related here goes up in my book. 
 
 I recognize Shopify’s position that no credit card data was stolen, the fact that the only two cards I used on Shopify both had fraud before the time of this incident is too much of a coincidence to ignore. 
 
Often, what companies originally uncover in terms of a data breach turns out to be greater than originally thought. 
 
Shopify’s post mentions this incident has been reported to authorities. I would like the fraud on my credit cards reported to those same authorities and internally to Shopify management as this could indeed be a case where there is more than meets the eye. 

Posts about this from three separate users purchasing from the same Shopify store is more than just a coincidence. 
jrodak49
New Member
2 0 0
I don’t understand. If the fraud occurred before the incident then how can it be related to this breach?
Nem360
Tourist
4 0 4

The fraud accured before they announced it not before it happened.  It takes companies sometimes days before they realize then they make the decision on whether or not to report it.  In my case I can still see every dang charge these guys try on my now dead card.  Last charge was Friday they attempted 4 LYFT charges.  I tried contacting LYFT NOTHING! I just informes my bank, it's crazy how stealing a cars or identity theft is looked at like not even a big deal now a day.

 

lovica
Explorer
71 11 16

Shopify, thank you for making (us) members aware of this incident, keeping us updated and reporting it to authorities. Hope the investigation goes well. Keep up the good work!

 

fraudvictim
New Member
2 0 2

@Nem360 is spot on. If you read the memo from Shopify closely, this is an internal breach where employees accessed personal data of customers. We are being notified after those employees were terminated and reported to authorities. 

In my opinion, Shopify has an ethical obligation to pursue complaints from customers regarding potentially related fraud and also ensure it is reported to those same authorities which Shopify originally reported the incident to. Otherwise, law enforcement would not know true true extent of the issue and the bad actors in this case could get off the hook for crimes that went unreported. 

Tasmimahossain
New Member
2 0 0

I know that Shopify staff are always aware of merchants. so, I want that Shopify staff would be taken action for affected merchants.

twinnii
New Member
3 0 0

I agree with you. Shopify should take into account your concern and include it into the investigation and then determine officially if it was or was not breached. According to Kylie's website, the breach occurred from August 15th to September 15th. https://www.kyliecosmetics.com/pages/faqs

From Kylie's website. I would take it into consideration.

"SECURITY FAQ'S

  • What happened? 
    Kylie Cosmetics recently became aware of an information security incident suffered by our e-commerce vendor, Shopify. Although their investigation is ongoing, Shopify has shared that this incident involved two members of their customer support team that obtained transactional records related to certain merchants, including Kylie Cosmetics.

    Kylie Cosmetics is committed to protecting the security of our customers’ information and was deeply disappointed to learn that Shopify’s incident affected some of our customers. Upon learning of this incident Kylie Cosmetics promptly initiated an investigation into the incident and has communicated extensively with Shopify to learn more about what occurred. Shopify has informed us that it engaged an outside forensic investigation firm to assist them in investigating and remediating the situation and has reported the incident to the FBI and other international agencies and are working with law enforcement in their investigation of this incident.

    We recognize the importance of protecting the privacy and security of our guests’ information and we are continuing to work diligently with Shopify to get additional information about this incident and their investigation and response to this matter. 

  • When did this happen? 
    Based on the information we have received from Shopify, it appears that this incident occurred between August 15 and September 15, 2020."
twinnii
New Member
3 0 0

@fraudvictim @jasmd25 and @Nem360 - Hello, I just wanted to ask, did the charges occur with another Shopify merchant? The reason why I ask, is that these employees used  "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.

Shopify
Community Manager
Community Manager
129 0 99

@twinnii wrote:

The reason why I ask, is that these employees used  "Shopify’s Orders API" which would probably allow them to make charges to your card, but not necessarily exposing your security code or whole credit card number. Please let me know. Thank you.


Hi @twinnii,

The Orders API does not have the capability to perform credit card charges. 

Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 

- To learn more visit the Shopify Help Center or the Shopify Blog