Got this email from Fangamer about Shopify earlier today.
----
Dear Fangamer customer,<p>Shopify, the company whose software runs the Fangamer store (and more than a million others online), has informed us that an internal security event it has been investigating since late last year included Fangamer customer data. Information regarding customer financial accounts and payment cards was not affected, but we are writing to make you aware of the situation.<p>According to Shopify, certain members of its support team used their Shopify credentials to obtain archived customer data from several hundred stores without authorization. The team members accessed data associated with order fulfillment — names, addresses, email addresses, cart contents, and phone numbers — but did not access or acquire any financial-account or payment-card information.<p>We are extremely frustrated and sorry to be sending you this email; Fangamer's internal development team takes data security extremely seriously. Data not in Fangamer's Shopify store — including Kickstarter backer information, account information and passwords, and email addresses used to sign up for our newsletter — was not accessed, and the store continues to operate as normal. Fangamer Japan, which operates as a separate store, was also not affected.<p>Shopify has terminated the employees who did this and eliminated the vulnerabilities that made it possible. Shopify has also reported that it will be providing any other relevant information to us as its investigation continues, and we'll pass along any new material details. If you have any questions, though, please contact us at orders@fangamer.com.<p>Thank you,
Fangamer
The only icing in the cake is that at least Shopify has been both transparent and quick - it's only taken a couple months and they've managed to get bottom of the case. Couple months might seem long but from what I've seen it takes about a year of lag time from the start of the breach to when the company finds out/acknowledges.<p>In any case I'm wondering - how did Shopify discover this intrusion? Do they check logs regularly? Did they receive a tip off?
It seems like employees are becoming the weakest link in cloud security. If Google will be breached one day, most probably it will happen not because of a technical vulnerability, but due to employee sabotage.<p>I'm pretty sure that at exactly this moment somewhere someone criminal is already analyzing organization structures, employee profiles, internal security policies and tools of the cloud giants.
Didn't receive an email, but are they just now referring to the incident that took place September 23 2020?<p><a href="https://www.cbc.ca/news/business/shopify-data-breach-1.5735191" rel="nofollow">https://www.cbc.ca/news/business/shopify-data-breach-1.57351...</a>
We have recourse against platform employees who snoop user data for personal reasons, and even share it with their friends or political organizations? Literally thought that was a perk of their jobs.<p>Someone should tell reddit/google/facebook/amazon as that will blow things up pretty badly.<p>Wait until they are subject to normal privacy regulations that require the companies to list the names of people who have accessed their user data.
I sometimes go out of my way to hide my identity from sites/services I sign up with. Easiest way to get doxxed is for someone to ask one of their polticially-aligned buddies working at a site to pull up your info.
The "employee access to customer data isn't protected" sits as unsolved an opportunity canvas/brief in almost every SaaS company. You can get to a fair amount of controls with little to no code and only with process changes (aka SoC and ISO certifications), which is also what SaaS security teams spend quite a bit of time on. There are a fair amount of problems to be solved here.