Faulty Shopify plugin puts hundreds of websites at risk of invasive attacks - find out how to stay safe

News
By published

A reputable Shopify plugin was leaking sensitive data, experts warn

Sell your products online
(Image credit: Getty Images)
  • Consentik, a cookie consent & consent management app for Shopify, kept sensitive data in an open archive
  • The archive was available for at least 100 days, if not more
  • It included site analytics data, Shopify Personal Access Tokens, and Facebook Auth Tokens

A major, reputable Shopify plugin, was leaking sensitive information for months, exposing hundreds of ecommerce businesses to all sorts of risks, experts have warned.

Security researchers from Cybernews spotted the leak and helped plug the hole, having discovered a publicly accessible Kafka server which was holding sensitive data from Consentik.

Consentik is a cookie consent & consent management app for Shopify, designed to help store owners comply with privacy regulations like GDPR, CCPA, LGPD, and others. The intel found on this server included site analytics data, Shopify Personal Access Tokens, and Facebook Auth Tokens.

Grave risk

Consentik was built by a Vietnamese web developer Omegatheme, back in 2018, and according to data from Storeleads, the Consentik GDPR Cookies Banner is currently installed on 4,180 Shopify stores, meaning there was plenty of information to harvest.

The plugin has a 4.9-star rating, and a “Made for Shopify” badge, presenting itself as a trusted, reliable solution for merchants looking to be compliant with global privacy laws.

The report does not state how much information was present in the archives, or how many e-commerce sites were exposed to potential risk. It did, however, explain that the risk was grave:

“In the wrong hands, a valid Shopify token can mean total control of a store, including customer data access, price manipulation, malicious code injection, or even replacing entire storefronts with lookalike phishing pages,” the researchers said.

“The Facebook tokens, meanwhile, opened another door into connected Meta Ads accounts, enabling attackers to launch fraudulent campaigns on the merchant’s dime.”

Cybernews’ researchers didn’t state if anyone managed to grab these files in the past, but it did say that that the archive was available for at least 100 days before being closed down in late May 2025.

Via Cybernews

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.