A Shopify plugin meant to safeguard privacy did the opposite. For over 100 days, it quietly exposed hundreds of online stores to the kind of risk most businesses dread; data theft, full account takeover, and hijacked ad spend.
Ironically, the culprit was a compliance plugin called Consentik, built to help Shopify merchants adhere to regulations like GDPR and CCPA. The flaw turned out to be an unsecured Kafka server that broadcast sensitive data in real-time. No password, no firewall, no warning.
Researchers at Cybernews discovered the misconfigured server leaking:
- Shopify Personal Access Tokens
- Facebook Ad Tokens
- Real-time store analytics
All accessible to anyone who knew where to look.
Trust Misplaced
Consentik isn’t a fringe tool. It has a 4.9-star rating on Shopify’s plugin marketplace and carries the “Made for Shopify” badge. It promises a smoother path to compliance with privacy laws. Instead, it created a direct line into backend systems of hundreds of storefronts, many in fashion, fitness, beauty, and consumer electronics.
The exposure wasn’t theoretical. The leaked Shopify tokens could give bad actors complete admin access to stores. That means they could change prices, access customer data, inject malicious code, or clone the store to run phishing campaigns.
The leaked Facebook tokens are effectively an open door to connected Meta Ads accounts, primed for abuse.
One Plugin, Hundreds at Risk
Shopify’s plugin ecosystem is sprawling. It’s filled with apps that promise speed, compliance, automation. This incident shows how a single misstep from a third-party developer can become a gateway to mass compromise.
The plugin’s developer, Omegatheme, is a Vietnamese company with 28 apps and more than 39,000 clients. It launched Consentik in 2018 and, until now, was seen as a trusted vendor.
That trust is shaken.
Cybernews reached out to Omegatheme. The open server was secured shortly after. Shopify was also notified, though neither company has offered an official statement at the time of writing.
What Was at Stake
In the wrong hands, the leaked tokens enabled malefactors to:
- Hijack entire Shopify storefronts
- Steal customer data
- Launch fraudulent Meta ad campaigns
- Replace store content with phishing or malware
The damage goes beyond the technical. It’s reputational and financial. In places like the EU and California, there could be legal consquences, too.
“The scope of what can be accessed using the Shopify Personal Access Token can vary depending on the plugin,” Cybernews said. “But Consentik didn’t disclose what its tokens could access—neither on the Shopify App Store nor in its Privacy Policy.
A Jackpot for Threat Actors
Misconfigured infrastructure is one thing. A centralized point of failure shared across hundreds of businesses? That’s hitting the jackpot.
Consentik’s flaw essentially offered threat actors a ready-made list of vulnerable targets. Same plugin. Same setup. Same window of attack. For cybercrooks, this slashes the effort needed to wreak havoc across a wide swath of the internet economy.
How Did This Happen?
At the center of it all was an open Kafka server. Kafka is a distributed system used for real-time data processing. Without security, it becomes a public loudspeaker, streaming sensitive data to anyone listening.
That’s what happened here. The server broadcasted live site traffic and authentication secrets from Consentik users, unencrypted and unprotected.
No credentials were needed to connect. No alerts were issued. The data was exposed for at least four months before the Cybernews team intervened.
What Comes Next
Shopify merchants who used Consentik may not even know they were exposed. That’s part of the problem. Many stores rely on third-party plugins to handle compliance, assuming these tools are secure by default.
This case proves otherwise.
Merchants affected by this should rotate all tokens, especially admin credentials and Facebook Ad tokens. If customer data was accessed, legal obligations may follow, particularly under GDPR, CCPA, and similar frameworks.
Shopify, for its part, must now reckon with the trust placed in its plugin ecosystem. Vetting isn’t enough if apps can leak data this easily, this quietly.
Restoring Trust
Boris Cipot, senior security engineer at Black Duck, says: “A data breach is always a challenging event. It creates significant issues for the affected organization and causes uncertainty and concern for users whose information may have been compromised. In this case, the root cause, a misconfigured or unsecured server, is a common but serious oversight.”
He adds that misconfigurations of this nature can arise from general errors or from test environment settings being mistakenly carried over into a live production environment.
“Consentik now faces the task of implementing robust processes and application security testing to restore and maintain trust in its software. Meanwhile, Shopify must evaluate how it manages its third-party suppliers to better safeguard customer data,”
Cipot adds that balancing speed, accuracy, and compliance at scale, while minimizing security, regulatory, and licensing risks, is never easy. “It requires strong processes and a well-defined security strategy. For affected customers, it’s wise to review your accounts, change your passwords as a precaution, and watch for any suspicious activity. If anything seems unfamiliar, report it to Shopify immediately.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.