A major security incident has impacted hundreds of Shopify merchants. A plugin named Consentik, designed for privacy compliance, leaked sensitive store credentials. This breach risked full access to storefronts and ad platforms.
Consentik is built by Omegatheme, a software firm based in Vietnam. The plugin claims over 39,000 users and holds a 4.9-star rating on Shopify. Despite its strong reputation, an exposed Kafka server revealed admin and ad tokens in real-time for over three months.
Exposed Credentials Raise Serious Threats
Cybersecurity researchers discovered the issue in April 2025. By late May, the vulnerability had been resolved. Still, the exposure lasted long enough to endanger many high-revenue Shopify businesses.
The leak included:
- Shopify Personal Access Tokens allowing full admin access
- Facebook Ad Tokens enabling fraudulent ad spend
- Live Analytics tied to customer behavior and website performance
These credentials could allow attackers to hijack stores, launch phishing campaigns, and access customer data.
Legal and Financial Fallout for Store Owners
Merchants affected by the Consentik breach face far-reaching risks. These include financial losses, damaged brand trust, and possible non-compliance with privacy laws. Tokens leaked through the plugin could be used to:
- Change product listings
- Insert malicious code into storefronts
- Launch fake ad campaigns
- Steal sensitive customer data
Consentik failed to fully disclose its data collection practices. This lack of transparency increased exposure for Shopify users across various sectors.
Eye World’s View:
This breach highlights a growing issue in e-commerce security. Even verified, high-rated apps can become attack vectors. Merchants must review plugin permissions carefully and demand accountability from developers. Compliance should never come at the cost of security.
