What happened?
Security researchers at Cybernews discovered that Consentik - a highly-rated Shopify app that adds cookie-consent banners - was running an unsecured Apache Kafka server. For at least 100 days (mid-January to 28 May 2025), that server streamed private data from every connected store directly to the open internet.
Data exposed
-
Shopify Personal Access Tokens - could give an attacker full administrative control over a store (product listings, orders, customer data, theme code, etc.).
-
Facebook/Meta Ads tokens - allowed the launch of fraudulent ad campaigns at the merchant’s expense.
-
Real-time site analytics events - offered reconnaissance data for targeted attacks.
Scale of the risk
Consentik is a relatively popular tool. It has a 4.9-star rating, bears Shopify’s “Made for Shopify” badge, and, according to Storeleads data quoted by TechRadar, is installed on approximately 4,180 stores across fashion, cosmetics, fitness, and electronics sectors.
Timeline
|
Date (2025) |
Event |
|
15 Apr |
Researchers verify the leak |
|
18 Apr |
Initial responsible-disclosure notice sent to developer (Omegatheme) |
|
28 May |
Kafka server is secured, and the leak is closed |
|
15-17 Jul |
Public reporting by Cybernews, TechRadar, and others |
Potential impact
-
A valid personal access token lets an attacker reconfigure the entire storefront, inject malicious JavaScript, scrape customer PII, or swap the theme for a phishing clone.
-
Compromised Facebook tokens can drain ad budgets and damage a brand’s reputation with fraudulent campaigns.
-
In jurisdictions such as the EU (GDPR) and California (CCPA), unprotected personal data can trigger regulatory penalties and civil litigation.
Responses so far
-
Omegatheme secured the server shortly after being notified but has not issued a public explanation.
-
Shopify has likewise not published an official statement as of 18 July 2025. No evidence of large-scale exploitation has surfaced, but forensic confirmation is inherently difficult.
Why does this matter beyond Consentik
The incident underscores an ecosystem-wide weakness: third-party apps often enjoy administrator-level API rights, yet even top-rated, “vetted” plugins can mishandle that access. Merchants, therefore, take a part of the security burden.
Practical steps for affected (or cautious) merchants
-
Rotate all Shopify personal access tokens issued to Consentik or any other high-privilege app.
-
Re-issue Facebook/Meta Ads tokens and review ad-spend logs for anomalies.
-
Audit app permissions: favour app-scoped or read-only tokens where possible.
-
Check storefront themes for unauthorized edits between January and May 2025.
-
Enable alerting for new staff/API accounts, theme changes, and bulk discount edits.
-
Document the incident internally - some data protection laws impose breach assessment or reporting duties even if the fault lies with a supplier.
Bottom line
Consentik’s leak is a reminder that compliance plugins are not automatically secure. Stars, badges, and marketplace vetting reduce risk, but they do not eliminate it. Regular token rotation, least-privilege access, and continuous log monitoring remain essential, even for apps whose sole purpose is to “protect” privacy.
