More than 1,800 stores on major e-commerce platform Shopify using Saara's EcoReturns and WyseMe plugins had 25 GB of data exposed due to the developer's misconfigured MongoDB database, according to Cybernews.
Such a database included details from over 7.6 million individual orders, including customers' names, delivery, email, and IP addresses, phone numbers, ordered item information, order tracking numbers, user agents, and partial payment details, reported Cybernews researchers, who also discovered a ransom note within the database that demanded nearly $640 worth of bitcoin.
While the database was reported to be open for eight months before being secured, Saara founder and CEO emphasized that the password-protected database did not have sensitive data.
Such a development highlights the risks associated with third-party services, which should prompt comprehensive third-party plugin audits among e-commerce store developers, and the importance of data encryption and anonymization efforts to curb possible data exposure.
