Shopify denies hacking after customer data leaked online

Last week, an attacker published the details of nearly 180,000 customers on a hacking forum, but Shopify is blaming a third party.

E-commerce giant Shopify has denied being hacked following a leak of nearly 180,000 customer data on a popular online hacking forum.

“Shopify’s systems have not experienced any security incident,” Shopify said in a statement to multiple media outlets.

“The reported data loss was caused by a third-party app. The app developer intends to notify affected customers.”

Shopify would not confirm how many customers were affected or identify the specific third-party app involved.

The data breach in question was perpetrated by a threat actor named 888 on July 3. The threat actor claimed to have 173,873 sets of user information with the following data: Shopify ID, first name, last name, email address, mobile number, number of merchants, total spend, email subscription, email subscription date, SMS subscription, and SMS subscription date.

The threat actor also shared a small sample of the data. The data was offered as a one-time sale, and anyone interested was asked to contact 888 via private message on the forum to make an offer in Monero, a cryptocurrency popular for such criminal transactions.

The threat actor released dozens of allegedly leaked data sets in 2024 alone, including those purportedly from Credit Suisse, Assurified, and Heineken. Last month, the threat actor claimed responsibility for a data breach affecting 32,000 Accenture employees. However, the company confirmed the following day that it had only found three employee emails.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years and has worked for a wide range of print and online publications throughout his career. He enjoys delving into cybersecurity, especially when it allows him to talk about Lego.