A trusted Shopify plugin designed to enforce privacy compliance ended up quietly exposing hundreds of online stores to serious security threats.
-
Hundreds of Shopify storefronts were vulnerable to code injection, data theft, and account takeovers due to an insecure Consentik plugin.
-
The insecure compliance plugin was leaking real-time site analytics and private authentication tokens, including Shopify admin credentials and Facebook ad tokens.
-
The leak was caused by an unsecured Kafka server.
-
The data was available to anyone on the internet for at least 100 days before closure.
Shopify’s plugin marketplace is filled with tools promising better performance, legal compliance, and streamlined customer experience. But even top-rated, officially vetted apps can expose your store to massive risk.
The Cybernews research team uncovered a publicly accessible Kafka server leaking sensitive data from Consentik, a Shopify plugin built to help merchants comply with privacy laws like GDPR, LGPD, and CCPA. The exposed instance was live for at least four months.
The Consentik plugin adds cookie consent banners to customer websites. However, the unsecured server was broadcasting real-time site analytics and private authentication tokens, including Shopify admin credentials and Facebook ad tokens, to anyone on the internet who knew where to look.
Launched in 2018, the plugin holds a 4.9-star rating and Shopify’s “Made for Shopify” badge, positioning it as a reputable solution for merchants seeking compliance with global privacy laws.
However, it was still putting hundreds of e-commerce businesses operating in sectors like fashion, cosmetics, fitness, and consumer electronics at risk. The leak allowed potentially anyone to intercept with admin-level access.
The plugin's owner is Omegatheme, a Vietnamese web development company. Since 2015, Omegatheme claims to have built 28 apps and amassed more than 39,000 global clients.
Cybernews contacted the company, and access was secured. Our journalists also contacted Shopify. Official comments from both companies have yet to be received.
Attackers could take over e-shops
What was leaked?
- Site analytics data
- Shopify Personal Access Tokens
- Facebook Auth Tokens
In the wrong hands, a valid Shopify token can mean total control of a store, including customer data access, price manipulation, malicious code injection, or even replacing entire storefronts with lookalike phishing pages.
“The scope of what can be accessed using the Shopify Personal Access Token can vary depending on the plugin that the token was generated for,” said the Cybernews research team.
“While some Shopify plugins give an idea of what information they’re able to access from customer sites, Consentik did not provide this information either on the Shopify App Store or in their Privacy Policy,” the team added.
The Facebook tokens, meanwhile, opened another door into connected Meta Ads accounts, enabling attackers to launch fraudulent campaigns on the merchant’s dime.
Aside from draining budgets, these kinds of compromises can seriously damage a brand’s trust with users. In the EU and California, such oversights could bring legal scrutiny, fines, or even class-action litigation.
This kind of centralized exposure is a jackpot for cybercriminals. Having a list of vulnerable stores, all using the same plugin, slashes the overhead for mass exploitation of hundreds of sites.
Timeline:
- Leak discovered: April 15th, 2025
- Initial disclosure: April 18th, 2025
- Leak closed: May 28th, 2025
Your email address will not be published. Required fields are markedmarked