Shopify plugins leaked data from nearly 2K stores

A vast amount of sensitive data of unsuspecting shoppers was exposed to threat actors by the e-commerce giant’s plugin developer, with millions of orders being leaked.

On February 21st, the Cybernews research team discovered a publicly accessible MongoDB database belonging to a US-based company, Saara, developing Shopify plugins. The company describes its plugins as an “AI/ML-powered e-commerce technology suite.”

Order Analytics entries revealing ordered items, email addresses
Order Analytics entries revealing ordered items, email addresses

Plugins confirmed as affected by the leak:

  • EcoReturns: for AI-powered returns
  • WyseMe: to acquire top shoppers

Other plugins made by Saara:

  • EcoShip: for discounted shipping
  • SalesGPT: and AI e-commerce chatbot

The leaked database stored 25GB of data. This data was collected by plugins from over 1,800 Shopify stores using the company’s plugins. It held data from more than 7.6 million individual orders, including sensitive customer data. The same endpoint also had a public API that could have been used instead of the exposed database.

Order details including payment information, addresses, names, phone numbers, ordered items
Order details including payment information, addresses, names, phone numbers, ordered items

The data stayed up for grabs for eight months and was likely accessed by threat actors. The database contained a ransom note demanding 0.01 in bitcoin (around $640), or the data would be released publicly.

Cybersecurity experts warn that poorly secured databases and servers are being targeted by ransomware bots that can wipe out data. Most likely, Saara did not notice the note, as the database remained open.

Saara plugin
More order details revealing ordered items, tracking tokens, user agents, email addresses, IP addresses

Leaked data included:

  • Customer names
  • Email addresses
  • Phone numbers
  • Addresses
  • Information about ordered items
  • Order tracking numbers and links
  • IP addresses
  • User agents
  • Partial payment information

Cybernews contacted the company, and access to the database has been secured. Saara’s founder and CEO Sachin Garg told Cybernews that upon receiving the disclosure, the company’s team “immediately blocked the access to the database.”

However, the CEO claimed that the database was password-protected and did not contain “any sensitive information.”

Saata plugins leak
Incentive program for giving store credits instead of processing returns

Caution with third-party services

The leak serves as a stark example that whenever you submit your personal data online, you can never be sure if it will be handled safely. It also reminds developers of e-commerce stores to audit any third-party plugins they add to their store, as these plugins can come with severe security, privacy, legal, and financial risks.

  • Snitch
  • Bliss Club
  • Steve Madden
  • The Tribe Concepts
  • Mesmerize India
  • By Invite Only
  • Baesic World
  • Fitville
  • OneOne Swimwear
  • Binky Bro
  • Off Duty India

The leak also underscores the importance of anonymizing data. The plugins collected nearly all information entered by users on the site, including sensitive details like names, addresses, orders, and payment information.

Data encryption or anonymization could have preserved service functionality while minimizing the collection of personal data, thereby reducing the severity of potential data leaks.

List of shops
List of shops using the affected plugins and their license tokens

While Shopify claims to audit plugins for security issues, it seems their testing does not include evaluating unsecured infrastructure, leaving private and sensitive customer data vulnerable.

Cybernews contacted the affected stores and Shopify for a comment, but a response is yet to be received.

More customer details
More customer details