ADVERTISEMENT

This million-dollar leak from a Shopify rival went unnoticed for 2 years

Indian Shopify competitor Dukaan leaked sensitive credentials that could have resulted in hundreds of millions dollars drained from merchants’ accounts.

Dukaan data leak

Image by Cybernews

Paulina Okunytė
Paulina Okunytė Senior Journalist
Oct 21, 2025 Updated: 22 October 2025 2 min read
Key takeaways:
Dukaan data leak screenshot
Payment gateway logs, including payment processor authentication keys. Stripe secret key pictured in the screenshot. Source: Cybernews

What data was leaked?

  • Authentication tokens
  • End-user order details
  • Information about visited stores
  • Purchased items
  • Names
  • Email addresses
  • Phone numbers
  • Home addresses
Dukaan data leak screenshot
Kafka broker’s monitoring software configuration. Source: Cybernews

Attackers could’ve looted hundreds of millions of dollars

ADVERTISEMENT
  • Retrieved customer payment information, including card numbers, expiration dates, and CVV codes
  • Authorized fake payments or refunds to drain funds from accounts
  • Accessed merchant transaction histories to fuel targeted financial scams
Dukaan data leak screenshot
User order information, including phone numbers, email addresses, names, and addresses, as well as order amounts and pictures of ordered items. Source: Cybernews

Disclosure Timeline:


ADVERTISEMENT