Shopify Store Hacked? Here’s Exactly What to Do Right Now
# Shopify Store Hacked? Here’s Exactly What to Do Right Now
If you just discovered your Shopify store has been hacked, don’t panic — but act fast. Every minute matters when your store, customer data, and revenue are on the line.
This emergency guide walks you through the exact steps to take right now, today, and this week to secure your store and prevent future attacks.
🚨 Do This Right Now (Next 10 Minutes)
Immediately change your Shopify admin password. Use a strong, unique password you haven’t used anywhere else. Enable two-factor authentication while you’re at it — Settings → Account → Two-step authentication.
Go to Settings → Account → Staff accounts. Remove any accounts you don’t recognize. Check if any staff members have been added without your knowledge.
Go to Settings → Activity to see recent admin actions. Look for:
- Login attempts from unknown locations
- Theme modifications you didn’t make
- New app installations
- Changes to payment settings
Open a support ticket immediately. Shopify’s security team can help investigate and may be able to provide logs or evidence of the breach. Use the Help Center → Contact Support option.
⏰ Do This Today (Within Hours)
Go through every installed app and ask yourself:
- Do I still need this app?
- Is this app from a reputable developer?
- Does this app have access it shouldn’t have?
Remove and uninstall any apps you don’t actively use. Apps often inject code into your theme that remains even after uninstallation — so you’ll need to clean that up too.
Use ThemeSafe Security to scan your entire theme for:
- Malware injections
- Backdoor scripts
- Leaked API keys
- Suspicious third-party code
The free tier runs a comprehensive scan in under two minutes and gives you a security score with specific fix recommendations.
If your store was hacked, assume all credentials are compromised:
- Shopify API keys (Private apps)
- Payment gateway API keys (Stripe, PayPal)
- Third-party service keys (email marketing, analytics)
- App proxy secrets
Hackers sometimes add webhooks to intercept order data. Check Settings → Notifications → Webhooks and remove anything you don’t recognize.
📋 Do This Week
After uninstalling suspicious apps, manually check your theme code for leftover scripts:
- Open Online Store → Themes → Edit Code
- Check theme.liquid for unknown script tags
- Review Snippets folder for files from uninstalled apps
- Check Layout and Templates for injected code
Configure alerts for:
- Google Search Console (malware detection)
- Shopify notifications (staff account changes)
- Payment processor alerts (unusual transaction patterns)
- Uptime monitoring (detect if your store goes down)
If you’re running an older theme version, update it. Theme updates often include security patches. If you’ve heavily customized your theme, compare your version against the latest clean version to spot differences.
If customer data was compromised, you’re ethically and often legally obligated to notify affected customers. Be transparent about what happened, what data was affected, and what steps you’ve taken.
🔍 How Did This Happen?
Understanding the attack vector helps prevent recurrence. Common Shopify hacking methods include:
Weak Admin Credentials
Simple or reused passwords are the #1 entry point. Brute force attacks try thousands of password combinations.
Compromised Third-Party Apps
Malicious or poorly secured apps can expose your store. Always vet app developers before installation.
Stolen Session Cookies
If you accessed your admin panel on public WiFi or a compromised device, attackers may have stolen your session.
Theme Vulnerabilities
Outdated or poorly coded themes can have XSS vulnerabilities that let attackers inject malicious scripts.
Phishing Attacks
Fake Shopify emails or login pages trick admins into entering credentials on attacker-controlled sites.
🛡️ Prevention: Stop It From Happening Again
Once your store is clean, implement these security practices:
Daily:
- Review Shopify activity logs
- Check for new unauthorized staff accounts
Weekly:
- Review installed apps
- Check theme files for unexpected changes
Monthly:
- Run a full theme security scan with ThemeSafe Security
- Update all apps and themes
- Rotate API credentials
Always:
- Use strong, unique passwords
- Enable 2FA on all accounts
- Never access admin on public WiFi
- Only install apps from trusted developers
Need Professional Help?
If the breach is severe or you’re not confident in your technical abilities, consider hiring a Shopify security expert. The cost of professional cleanup is far less than the cost of a data breach — lost revenue, legal fees, and destroyed customer trust.
Start With a Free Security Check
Even if your store hasn’t been hacked, run a preventive scan. ThemeSafe Security’s free tier catches vulnerabilities before hackers exploit them. Two minutes of scanning can save you from a disaster.
Your store is your livelihood. Protect it like one.
