This million-dollar leak from a Shopify rival went unnoticed for 2 years
Indian Shopify competitor Dukaan leaked sensitive credentials that could have resulted in hundreds of millions dollars drained from merchants’ accounts.
-
Dukaan's unprotected instance leaked payment gateway tokens, potentially enabling attackers to access millions of dollars.
-
Authentication tokens for Stripe, PayPal, and RazorPay were exposed, which could allow accessing merchant accounts.
-
The security lapse went undetected for over two years, giving attackers ample time to syphon the data.
-
Attackers could have drained funds through fake payments, refunds, and continuous small-scale financial abuse.
A major security lapse at Dukaan, one of India’s fastest-growing e-commerce platforms, may have exposed millions of merchants and shoppers to data theft and financial fraud.
Cybernews researchers discovered a publicly accessible Apache Kafka broker belonging to Dukaan streaming a continuous feed of data from the company’s platform. Researchers found that over 270,000 messages containing order details were being transmitted every 24 hours.
The data leak might have a huge impact on Dukaan, given its broad user base. Reportedly, Dukaan hosts over 3.5 million merchants and serves 16 million unique customers worldwide.
The exposed Kafka instance had been publicly indexed since August 2023, meaning that sensitive personal and financial data may have been accessible for over two years.
What data was leaked?
- Authentication tokens
- End-user order details
- Information about visited stores
- Purchased items
- Names
- Email addresses
- Phone numbers
- Home addresses
Attackers could’ve looted hundreds of millions of dollars
Along with personal customer data, something far more dangerous was leaked. The unprotected instance transmitted authentication tokens for payment gateways like Stripe, PayPal, and RazorPay.
Leaked authentication tokens could grant direct access to each merchant’s payment processor account. By exploiting the access attackers could have:
- Retrieved customer payment information, including card numbers, expiration dates, and CVV codes
- Authorized fake payments or refunds to drain funds from accounts
- Accessed merchant transaction histories to fuel targeted financial scams
The incident could have also allowed financially motivated threat actors or advanced persistent threat groups to drain merchant accounts. For example, the infamous Lazarus Group from North Korea is known for thousands of similar types of attacks.
By placing small test orders, attackers could have triggered the Kafka data stream to capture fresh transaction logs, extract payment tokens, and hijack the flow of funds. Over time, this could amount to hundreds of millions of dollars in financial abuse.
“What makes the situation worse is that the issue was left unidentified for over two years, potentially allowing for long-term, undetected access and allowing relatively small-scale, continuous financial abuse,” our researchers explained.
While leaked data linked to financial accounts is the most dangerous, the leaked personal details of millions of buyers is also troublesome. Such data could be exploited for identity theft, targeted phishing campaigns, or doxxing attempts.
Cybernews reached out to the company and India’s CERT regarding the situation. While the data have been secured, the company has not provided an official comment at the time of writing.
Disclosure Timeline:
Leak discovered: August 27th, 2025
Initial disclosure: August 29th, 2025
CERT contacted: September 9th, 2025
Leak closed: October 8th, 2025
Unlock more exclusive Cybernews content on YouTube.
