Consent Compliance Plugin Leaks Admin Access for Hundreds of Shopify Stores
A widely used Shopify plugin meant to enforce privacy compliance ended up doing the opposite—quietly exposing hundreds of stores to major cyber risks for months.
Cybernews researchers recently uncovered an unsecured Kafka server leaking real-time data from Consentik, a high-rated Shopify app built to help merchants comply with global data privacy laws like GDPR, CCPA, and LGPD. The exposure included Shopify admin credentials, Facebook ad tokens, and live store analytics, giving attackers everything they’d need to hijack storefronts or siphon customer data.
The server, which had been publicly accessible for at least four months, was part of the backend for Consentik’s cookie banner system. It had been left open to the internet by Omegatheme, the Vietnamese developer behind Consentik, which claims to serve over 39,000 clients across its 28 apps.
“The scope of what can be accessed using the Shopify Personal Access Token can vary depending on the plugin,” Cybernews said.
“But Consentik didn’t disclose what its tokens could access—neither on the Shopify App Store nor in its Privacy Policy.”
For some storefronts, the damage could be significant. With a valid Shopify token, an attacker could:
- View or extract customer data
- Modify product listings and pricing
- Inject malicious code
- Replace entire storefronts with phishing pages
The exposed Facebook tokens also opened the door to compromised Meta Ads accounts, allowing bad actors to launch fraudulent ad campaigns under the store owner’s name—potentially draining ad budgets and damaging brand trust.
Affected stores span across fashion, cosmetics, electronics, and fitness sectors. The plugin carried Shopify’s “Made for Shopify” badge and a near-perfect 4.9-star rating, giving merchants no reason to question its integrity. But the breach highlights a critical blind spot in app security oversight—particularly for third-party tools granted deep access to sensitive systems.
The leak was quietly closed after Cybernews contacted Omegatheme. Shopify has not issued an official statement yet, and Omegatheme has not responded to public requests for comment.
Privacy and compliance plugins are often seen as protective tools, but when misconfigured, they can become liabilities. In both the EU and California, exposure of customer data through negligence can trigger regulatory fines, legal scrutiny, and class-action lawsuits.
This breach also serves as a reminder of the risks of centralized exposure. With hundreds of businesses relying on a single vulnerable plugin, attackers gain a scalable route to exploitation. A single misstep becomes a jackpot.
