The Cybernews research team discovered that a vast amount of sensitive data of shoppers was exposed to threat actors by the e-commerce giant’s Shopify plugin developer Saara, with millions of orders being leaked.
Key findings from the Cybernews report, covering the data breach on the Shopify plugins developed by Saara
- Researchers discovered a publicly accessible MongoDB database belonging to a US-based company, Saara, that is developing Shopify plugins.
- The leaked database stored 25GB of data.
- Leaked data was collected by plugins from over 1,800 Shopify stores using the company’s plugins.
- It held data from more than 7.6 million individual orders, including sensitive customer data.
- The data stayed up for grabs for eight months and was likely accessed by threat actors.
- The database contained a ransom note demanding 0.01 in bitcoin (around $640), or the data would be released publicly.
Plugins confirmed as affected by the leak:
- EcoReturns: for AI-powered returns
- WyseMe: to acquire top shoppers
Leaked data included:
- Customer names
- Email addresses
- Phone numbers
- Addresses
- Information about ordered items
- Order tracking numbers and links
- IP addresses
- User agents
- Partial payment information
Some of the online stores mostly affected by the leak:
- Snitch
- Bliss Club
- Steve Madden
- The Tribe Concepts
- Scoboo.in
- OneOne Swimwear