A vast amount of sensitive data of unsuspecting shoppers was exposed to threat actors by the e-commerce giant’s plugin developer, with millions of orders being leaked.
On February 21st, the Cybernews research team discovered a publicly accessible MongoDB database belonging to a US-based company, Saara, developing Shopify plugins. The company describes its plugins as an “AI/ML-powered e-commerce technology suite.”
Plugins confirmed as affected by the leak:
- EcoReturns: for AI-powered returns
- WyseMe: to acquire top shoppers
Other plugins made by Saara:
- EcoShip: for discounted shipping
- SalesGPT: and AI e-commerce chatbot
The leaked database stored 25GB of data. This data was collected by plugins from over 1,800 Shopify stores using the company’s plugins. It held data from more than 7.6 million individual orders, including sensitive customer data. The same endpoint also had a public API that could have been used instead of the exposed database.
The data stayed up for grabs for eight months and was likely accessed by threat actors. The database contained a ransom note demanding 0.01 in bitcoin (around $640), or the data would be released publicly.
Cybersecurity experts warn that poorly secured databases and servers are being targeted by ransomware bots that can wipe out data. Most likely, Saara did not notice the note, as the database remained open.
Leaked data included:
- Customer names
- Email addresses
- Phone numbers
- Addresses
- Information about ordered items
- Order tracking numbers and links
- IP addresses
- User agents
- Partial payment information
Cybernews contacted the company, and access to the database has been secured. Saara’s founder and CEO Sachin Garg told Cybernews that upon receiving the disclosure, the company’s team “immediately blocked the access to the database.”
However, the CEO claimed that the database was password-protected and did not contain “any sensitive information.”
Caution with third-party services
The leak serves as a stark example that whenever you submit your personal data online, you can never be sure if it will be handled safely. It also reminds developers of e-commerce stores to audit any third-party plugins they add to their store, as these plugins can come with severe security, privacy, legal, and financial risks.
- Snitch
- Bliss Club
- Steve Madden
- The Tribe Concepts
- Mesmerize India
- Scoboo.in
- By Invite Only
- Baesic World
- Fitville
- OneOne Swimwear
- Binky Bro
- Off Duty India
The leak also underscores the importance of anonymizing data. The plugins collected nearly all information entered by users on the site, including sensitive details like names, addresses, orders, and payment information.
Data encryption or anonymization could have preserved service functionality while minimizing the collection of personal data, thereby reducing the severity of potential data leaks.
While Shopify claims to audit plugins for security issues, it seems their testing does not include evaluating unsecured infrastructure, leaving private and sensitive customer data vulnerable.
Cybernews contacted the affected stores and Shopify for a comment, but a response is yet to be received.
Your email address will not be published. Required fields are markedmarked