The Cybernews research team has discovered that Consentik, a Shopify plugin designed to help merchants comply with privacy laws such as GDPR, LGPD, and CCPA, was exposing hundreds of online stores, broadcasting real-time site analytics and private authentication tokens.
Key research takeaways
- Hundreds of Shopify storefronts were vulnerable to code injection, data theft, and account takeovers due to an insecure Consentik plugin.
- The insecure compliance plugin was leaking real-time site analytics and private authentication tokens, including Shopify admin credentials and Facebook ad tokens.
- The leak was caused by an unsecured Kafka server.
- The data was available to anyone on the internet for at least 100 days before closure.
What was leaked?
- Site analytics data
- Shopify Personal Access Tokens
- Facebook Auth Tokens
Significance of this leak
This data leak puts e-commerce businesses operating in sectors like fashion, cosmetics, fitness, and consumer electronics at risk, and may have allowed anyone to intercept with admin-level access.
In the wrong hands, a valid Shopify token can mean total control of a store, including customer data access, price manipulation, malicious code injection, or even replacing entire storefronts with lookalike phishing pages.
Additionally, these kinds of compromises can seriously damage a brand’s trust with users. In the EU and California, such oversights could bring legal scrutiny, fines, or even class-action litigation.
To read the full research report and see samples of leaked screenshots, please click here.
Like this:
Like Loading...
Related
This entry was posted on July 15, 2025 at 9:34 am and is filed under Commentary with tags Cybernews. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hundreds of e-stores were exposed by an insecure Shopify plugin
The Cybernews research team has discovered that Consentik, a Shopify plugin designed to help merchants comply with privacy laws such as GDPR, LGPD, and CCPA, was exposing hundreds of online stores, broadcasting real-time site analytics and private authentication tokens.
Key research takeaways
What was leaked?
Significance of this leak
This data leak puts e-commerce businesses operating in sectors like fashion, cosmetics, fitness, and consumer electronics at risk, and may have allowed anyone to intercept with admin-level access.
In the wrong hands, a valid Shopify token can mean total control of a store, including customer data access, price manipulation, malicious code injection, or even replacing entire storefronts with lookalike phishing pages.
Additionally, these kinds of compromises can seriously damage a brand’s trust with users. In the EU and California, such oversights could bring legal scrutiny, fines, or even class-action litigation.
To read the full research report and see samples of leaked screenshots, please click here.
Share this:
Like this:
Related
This entry was posted on July 15, 2025 at 9:34 am and is filed under Commentary with tags Cybernews. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.