Leaked data from Shopify plugins developed by Saara

The Cybernews research team discovered that a vast amount of sensitive data of shoppers was exposed to threat actors by the e-commerce giant’s Shopify plugin developer Saara, with millions of orders being leaked.

Key findings from the Cybernews report, covering the data breach on the Shopify plugins developed by Saara

• Researchers discovered a publicly accessible MongoDB database belonging to a US-based company, Saara, that is developing Shopify plugins.
• The leaked database stored 25GB of data.
• Leaked data was collected by plugins from over 1,800 Shopify stores using the company’s plugins.
• It held data from more than 7.6 million individual orders, including sensitive customer data.
• The data stayed up for grabs for eight months and was likely accessed by threat actors.
• The database contained a ransom note demanding 0.01 in bitcoin (around $640), or the data would be released publicly.
   

Plugins confirmed as affected by the leak:

• EcoReturns: for AI-powered returns 
• WyseMe: to acquire top shoppers

Leaked data included:

• Customer names 
• Email addresses 
• Phone numbers 
• Addresses 
• Information about ordered items 
• Order tracking numbers and links 
• IP addresses 
• User agents
• Partial payment information

Some of the online stores mostly affected by the leak: 

• Snitch
• Bliss Club
• Steve Madden
• The Tribe Concepts
• Scoboo.in
• OneOne Swimwear