A new story circulating on X over the last several hours is raising serious concerns among Shopify merchants, especially high revenue store owners.
An X account named @bagannihilator claims to have discovered a flaw in Shopify’s chargeback and refund related API system, which allegedly allowed unauthorized actions inside merchant accounts.
What is being claimed
According to the posts and screenshots shared by the account:
• The issue was not related to leaked passwords
• Instead, it allegedly involved a hole in the chargeback or refund API flow
• The attacker claims they were able to issue mass refunds on Shopify stores
• Refunds were allegedly processed without normal merchant approval
In addition to refund abuse, the account claims there was a large scale data exposure involving:
• Customer email addresses
• Full names
• Physical addresses
No claims were made about credit card numbers or passwords being leaked.
Alleged disclosure to Shopify
The same account states they reported the issue to Shopify first.
According to their version of events:
• Shopify allegedly refused to accept the report as eligible for bug bounty
• Shopify allegedly said the issue would not be fixed
• After that response, the attacker claims they decided to publicly demonstrate the impact
As of now, Shopify has not publicly commented on these specific allegations.
Is this confirmed
No. This is currently an unverified claim based on posts and screenshots shared on X.
There is no independent confirmation yet that:
• The API flaw exists at scale
• The refunds were performed across many stores
• The exposed data originated directly from Shopify systems
However, screenshots showing refunds being issued have understandably alarmed merchants.
Why this matters
Even without passwords being leaked, this situation is serious if true.
• Refund abuse directly impacts cash flow
• Chargeback related systems touch sensitive merchant operations
• Exposure of customer names, emails, and addresses creates legal and trust risks
APIs handling refunds and disputes are high impact systems and even small flaws can be abused quickly.
What merchants should do now
Until Shopify issues a response, merchants should take basic precautions:
• Review refund and chargeback activity from the last 24 to 48 hours
• Limit staff permissions related to refunds if possible
• Enable alerts for refund events
• Monitor payment processor dashboards closely
Bottom line
There is no confirmed Shopify breach, but there is an active and credible looking rumor involving an alleged chargeback API vulnerability, refund abuse, and exposure of customer personal data.
The claims originate from @bagannihilator on X and remain unverified. Merchants should stay alert and secure their operations while waiting for an official response.
SWAPD will update this story if Shopify responds or if further verification becomes available.