Shopify security, checking who has access to your store

This week, Shopify had a problem where two support employees stole store information and now there's a full criminal investigation into the incident.

(And to preempt any worry, per-Shopify you weren't impacted unless Shopify has already contacted you about it. I know of one store who has already started to notify their customers)

I don't want to write about that topic itself, it's better to follow Shopify themselves on that matter.

What I do want to advise on are basic security precautions for all Shopify stores.

Any person you give a staff account to has the ability to get into your store and its data. What permissions to give them will define what data they can access (e.g. orders, customers, themes).

The same thing goes for every Shopify app you install. Each app has to ask you for a set of permissions, based on what the app is coded for.

The more permissions you give to a person or app, the more of your data they can access.

You'll have to balance their level of access based on what they need to do, the more access the higher the risk.

For example,

Yes, thinking about this can be a headache.

But so would be a data breach... one that involves the FBI, having to make data notifications to all of your customers, or even having to pay for credit monitoring for each customer.

Start by going through your staff accounts (Shopify Settings -> Plan and permissions). Edit or remove people who shouldn't have access anymore.

Then go through your apps you have installed. Clicking the "About" link in your apps' list will show you which permissions each app is using. If a permission is questionable, you should ask the developers why they need access to a specific one.

(And as always, remove any old apps you aren't using anymore)

You'll probably want to do this audit every few months too, just in case.

This is why I've only ever asked for the minimum access needed for Repeat Customer Insights and JSON-LD for SEO. They need access to some key areas but I've limited them as much as possible. e.g. Repeat Customer Insights can only read order data, it can't edit or modify it.

Eric Davis

Did last year's holiday customers come back?

Find out if last year's holiday customers stuck around with Repeat Customer Insights Cohort Report.

Learn more

Topics: Security

Would you like a daily tip about Shopify?

Each tip includes a way to improve your store: customer analysis, analytics, customer acquisition, CRO... plus plenty of puns and amazing alliterations.