- Consentik, a cookie consent & consent management app for Shopify, kept sensitive data in an open archive
- The archive was available for at least 100 days, if not more
- It included site analytics data, Shopify Personal Access Tokens, and Facebook Auth Tokens
A major, reputable Shopify plugin, was leaking sensitive information for months, exposing hundreds of ecommerce businesses to all sorts of risks, experts have warned.
Security researchers from Cybernews spotted the leak and helped plug the hole, having discovered a publicly accessible Kafka server which was holding sensitive data from Consentik.
Consentik is a cookie consent & consent management app for Shopify, designed to help store owners comply with privacy regulations like GDPR, CCPA, LGPD, and others. The intel found on this server included site analytics data, Shopify Personal Access Tokens, and Facebook Auth Tokens.
Grave risk
Consentik was built by a Vietnamese web developer Omegatheme, back in 2018, and according to data from Storeleads, the Consentik GDPR Cookies Banner is currently installed on 4,180 Shopify stores, meaning there was plenty of information to harvest.
The plugin has a 4.9-star rating, and a “Made for Shopify” badge, presenting itself as a trusted, reliable solution for merchants looking to be compliant with global privacy laws.
The report does not state how much information was present in the archives, or how many e-commerce sites were exposed to potential risk. It did, however, explain that the risk was grave:
“In the wrong hands, a valid Shopify token can mean total control of a store, including customer data access, price manipulation, malicious code injection, or even replacing entire storefronts with lookalike phishing pages,” the researchers said.
“The Facebook tokens, meanwhile, opened another door into connected Meta Ads accounts, enabling attackers to launch fraudulent campaigns on the merchant’s dime.”
Cybernews’ researchers didn’t state if anyone managed to grab these files in the past, but it did say that that the archive was available for at least 100 days before being closed down in late May 2025.
Via Cybernews
