Shopify Disclose Security Breach By Two Of Its Employees

The e-commerce giant Shopify has now fallen prey to an insider issue. Specifically, Shopify has disclosed a security breach caused by two employees that affected some of its merchants.

Shopify Security Breach

In a recent notice, Shopify, an ecommerce platform with over 1.75 million sellers, has disclosed the details of a security breach that occurred from their staff. According to the details, two of its employees accessed merchants’ transaction records. Both rogue members belonged to the support team.

The incident did not have a huge impact and affected less than 200 merchants. However, in the case of those affected, a breach of data has potentially happened.

As stated in the notice,

Those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased.

Yet, the breached data does not include payment card numbers or sensitive financial information.

Also, they have confirmed the incident as purely caused by human intervention and not due to any technical flaws.

What Next?

Upon discovering the incident, Shopify has started investigations and involved LEAs in the matter.

We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts.

Besides, they have also informed that affected merchants and are communicating with them to address any concerns.

In the previous month, a similar incident happened at the grocery vendor Instacart. Two employees belonging to a contracted support vendor had accessed shopper profiles outside the scope of their jobs as support agents.

While the investigations revealed no download or misuse of accessed data, the company did take action to prevent such incidents from happening again. They suspended the contract with the firm and strengthened the security at their end.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil