A Shopify plug-in designed to help merchants comply with privacy laws such as GDPR, LGPD and CCPA was exposing hundreds of online stores, broadcasting real-time site analytics and private authentication tokens.

The Cybernews research team has discovered that the insecure Consentik plug-in exposed hundreds of Shopify storefronts to code injection, data theft and account takeovers.

The insecure compliance plug-in was leaking real-time site analytics and private authentication tokens, including Shopify admin credentials and Facebook ad tokens. The leak was caused by an unsecured Kafka server. The data were available to anyone on the internet for at least 100 days before closure.

What was leaked included site analytics data, Shopify personal access tokens and Facebook authentication tokens.

This data leak puts ecommerce businesses operating in sectors such as fashion, cosmetics, fitness and consumer electronics at risk, and may have allowed anyone to intercept with admin-level access. In the wrong hands, a valid Shopify (www.shopify.com) token can mean total control of a store, including customer data access, price manipulation, malicious code injection, or even replacing entire storefronts with lookalike phishing pages.

Additionally, these kinds of compromises can seriously damage a brand’s trust with users. In the EU and California, such oversights could bring legal scrutiny, fines or even class-action litigation.

Launched in 2018, the plug-in holds a 4.9-star rating and the Made for Shopify badge, positioning it as a reputable option for merchants seeking compliance with global privacy laws. The plug-in’s owner is Omegatheme (www.omegatheme.com), a Vietnamese web development company. Since 2015, Omegatheme claims to have built 28 apps and amassed more than 39,000 global clients. The leak was discovered in April and Cybernews contacted the company; access was secured in May.

“The scope of what can be accessed using the Shopify personal access token can vary depending on the plug-in that the token was generated for,” said the Cybernews (cybernews.com) research team. “While some Shopify plug-ins give an idea of what information they’re able to access from customer sites, Consentik did not provide this information either on the Shopify app store or in their privacy policy.”

The Facebook tokens, meanwhile, opened another door into connected Meta Ads accounts, enabling attackers to launch fraudulent campaigns using the merchant’s money.