This week, Shopify had a problem where two support employees stole store information and now there's a full criminal investigation into the incident.
(And to preempt any worry, per-Shopify you weren't impacted unless Shopify has already contacted you about it. I know of one store who has already started to notify their customers)
I don't want to write about that topic itself, it's better to follow Shopify themselves on that matter.
What I do want to advise on are basic security precautions for all Shopify stores.
Any person you give a staff account to has the ability to get into your store and its data. What permissions to give them will define what data they can access (e.g. orders, customers, themes).
The same thing goes for every Shopify app you install. Each app has to ask you for a set of permissions, based on what the app is coded for.
The more permissions you give to a person or app, the more of your data they can access.
You'll have to balance their level of access based on what they need to do, the more access the higher the risk.
For example,
- Your co-founder is probably going to need full access.
- Your accountant might only need Reporting and Dashboard access.
- Your theme developer will need Theme access and maybe access some content areas if they are cleaning things up (e.g. Navigation, Pages, etc).
- A SEO app might only need access to your theme and some data that it edits, but e.g. it shouldn't need the ability to Edit orders.
- A checkout app will need Orders and Edit orders access, but it probably doesn't need access to your Themes.
- Any app that asks for full access to everything, reading and/or writing data, is probably something you should question.
Yes, thinking about this can be a headache.
But so would be a data breach... one that involves the FBI, having to make data notifications to all of your customers, or even having to pay for credit monitoring for each customer.
Start by going through your staff accounts (Shopify Settings -> Plan and permissions). Edit or remove people who shouldn't have access anymore.
Then go through your apps you have installed. Clicking the "About" link in your apps' list will show you which permissions each app is using. If a permission is questionable, you should ask the developers why they need access to a specific one.
(And as always, remove any old apps you aren't using anymore)
You'll probably want to do this audit every few months too, just in case.
This is why I've only ever asked for the minimum access needed for Repeat Customer Insights and JSON-LD for SEO. They need access to some key areas but I've limited them as much as possible. e.g. Repeat Customer Insights can only read order data, it can't edit or modify it.
Eric Davis
Did last year's holiday customers come back?
Find out if last year's holiday customers stuck around with Repeat Customer Insights Cohort Report.