Shopify denies it was hacked, links stolen data to third-party app

E-commerce platform Shopify denies it suffered a data breach after a threat actor began selling customer data they claim was stolen from the company's network.

"Shopify systems have not experienced a security incident," Shopify told BleepingComputer.

"The data loss reported was caused by a third-party app. The app developer intends to notify affected customers."

This statement comes after a threat actor known as '888'  began selling data earlier this week that they claim was stolen from Shopify in 2024.

The threat actor shared data samples that include a person's Shopify ID, first name, last name, email, mobile number, order count, total spent, email subscription, email subscription date, SMS subscription, and SMS subscription date.

Shopify did not respond to further requests for more information about the app from which this customer's data was stolen.

The threat actor, 888, has previously sold or leaked data allegedly linked to Credit Suisse, Shell, Heineken, Accenture India, and Unicef.

In 2020, Shopify disclosed that two "rogue members" of its support team accessed the customer transactional records of about two hundred merchants.