- Assentik, a Cookie -Collaboration and Consent Administration app for Shopify, stored sensitive data in an open archive
- The archive was available for at least 100 days, if not more
- It included site analysis data, Shopify Personal Access tokens and Facebook AUTH TOKENS
An important, reputable Shopify -plugin leaked sensitive information for months and exposed hundreds of E -trading companies for all sorts of risks, experts have warned.
Security researchers from Cygenerws Spotted the leak and helped connect the hole after discovering a publicly available Kafka server that had sensitive data from Assentik.
Assentik is a Cookie Association and Consent Administration app for Shopify, designed to help save owners to comply with confidentiality regulations such as GDPR, CCPA, LGPD and others. Intel found on this server included site analysis data, Shopify Personal Access -Tokens and Facebook AUTH -Tokens.
Tomb risk
Assentik was built by a Vietnamese web developer Omegatheme, back in 2018, and according to data from Storageads, Assentik GDPR Cookies Banner is currently installed in 4,180 Shopify stores, which means there was plenty of information for harvest.
Plugin has a 4.9 -star assessment and a “Made to Shopify” emblem that presents itself as a trusted, reliable solution for merchants who want to be in line with global privacy laws.
The report does not indicate how much information was present in the archives or how many e-commerce sites were exposed to potential risk. However, it explained that the risk was severe:
“In the wrong hands, a valid Shopify -token can mean total control over a store, including customer datatia, pricing, malicious codeing or even replace entire storey factories with lookalike phishing sites,” the researchers said.
“Facebook -tokens meanwhile opened another door to connected meta advertisements, enabling attackers to launch fake campaigns on Merchant’s Dime.”
Cygenerws‘Researchers did not disclose if anyone managed to grab these files in the past, but it said the archive was available for at least 100 days before being closed by the end of May 2025.
Via Cygenerws
