Shaara, a company that develops Shopify plugins, had a critical data leak go undetected for over eight months.
According to the researchers who found the data, it’s highly likely that hackers accessed this data leak at least once, as they found a ransom note amongst the data demanding roughly $640 in Bitcoin.
The total leak contained more than 25 GB of data being stored in Shaara’s MongoDB database which was publicly accessible for more than eight months. The unencrypted data contained more than 7.6 million individual orders as well as personal data on customers.
Anyone was free to look at customers’ email addresses, full names, phone numbers, IP addresses, home addresses, order and order tracking information, and partial payment details.
After realizing that Shaara was most likely unaware of the breach, Cybernews researchers contacted the CEO, informing them of the breach and asking for further comment. While the company immediately closed the breach, the CEO claimed that the leak didn’t contain any sensitive customer data.
The leak highlights a major problem underlying Shopify’s cybersecurity practices. Its security scans often fail to detect flaws in unsecured infrastructure, leading a multitude of companies like Shaara to expose sensitive customer data.
Other data leaks found through Shopify plugins include The Tribe Concepts, Mesmerize India, Snitch, Bliss Club, By Invite Only, and Binky Boo which have had large data leaks. Some of these companies had fully accessible payment information.
Each of the companies was asked for further comment, but they have yet to respond.
Researchers point out that this issue isn’t caused by sophisticated hackers using the latest technology but rather by companies failing to meet basic cybersecurity standards. Even basic encryption software would have safeguarded customer data in case of a leak, with simple and accessible solutions like 256-bit AES encryption having never been cracked before.