This post is also available in:
עברית (Hebrew)
A plugin intended to help Shopify merchants comply with global privacy laws has inadvertently exposed sensitive data from hundreds of online stores, potentially allowing attackers to hijack accounts and steal customer information.
The issue stems from an insecure implementation of the Consentik plugin, which is commonly used to display cookie consent banners in line with regulations like GDPR. Despite holding high ratings and Shopify’s “Made for Shopify” badge, the plugin was found to be leaking real-time site analytics and private access credentials through an unprotected Kafka server.
Security researchers from Cybernews discovered that for at least 100 days, a misconfigured server broadcast confidential data over the internet without restriction. Leaked details included Shopify Personal Access Tokens—which can grant full administrative access to online stores—and Facebook advertising tokens, used to manage ad campaigns through Meta’s platforms.
According to the researchers, with these credentials in hand, malicious actors could potentially alter product listings, steal customer data, inject harmful code, or redirect entire storefronts to phishing pages. Facebook ad tokens, meanwhile, could allow fraudulent campaigns to be launched using the merchant’s account and budget.
The leak could significantly impact user trust, customer retention, and brand integrity. For many small businesses that use Shopify for their online store, this could be detrimental. The exposed data could also place merchants at risk of violating data protection laws, especially in regions with strict enforcement such as the European Union and California.
The server was eventually secured on May 28, 2025, more than a month after the leak was first identified.
This incident highlights the security risks posed by third-party tools in e-commerce environments. While Shopify apps are vetted before listing, even trusted plugins can create vulnerabilities—particularly when backend infrastructure lacks basic safeguards. Merchants relying on external compliance tools should review their permissions and monitor integrations regularly to limit exposure.
As attackers increasingly exploit weaknesses in popular platforms, these findings underline the importance of both technical vigilance and clear transparency around data handling practices.
