Security incident 1/9/26 newsroom

Update 1/11/26
‍
On January 9, 2026, we discovered a security incident which resulted in an unknown bad actor gaining access to Shopify API access token for some of our customers. Upon discovery of the incident, we immediately began working with our engineering team and third-party cybersecurity specialists to investigate. While this investigation is ongoing, we have determined that the bad actor used the access token to perform a number of unauthorized refunds on a handful of our customers’ Shopify stores. We have since fixed the security vulnerability and remediated this issue, as well as reimbursed impacted merchants.

Our investigation has further determined that some sensitive data was exfiltrated from our database. The impacted data included, in some cases, the name, email, mailing address, and store name associated with the store, as well as certain credentials for accessing some third-party services that were integrated to the store.
‍
At this time, we have no evidence to indicate that any potentially exposed credentials have been used inappropriately. However, in an abundance of caution, we are reaching out to all our third-party service providers to proactively inform them of this data breach, and we wanted to provide you with notice first as soon as we discovered this information through our internal security audits. To reiterate, to the best of our knowledge, none of the impacted data has been used by the bad actor to commit any malicious activity.
‍
Thank you for your patience and cooperation as we respond to this incident. We are committed to keeping our customers and partners updated on the progress of our investigation and welcome any questions you may have by contacting our incident response team at incidentresponse@disputifier.com.

Update: 1/9/26
‍
A security vulnerability was exploited between approximately 10-11 AM PST on 1/9/26, allowing unauthorized refunds to be processed on Shopify orders for a small number of our clients. We want to emphasize that no clients will experience any financial losses. The majority of these refunds were successfully canceled by the payment processor, and we are committed to reimbursing 100% of any remaining losses where cancellation wasn't possible. This incident affected fewer than 0.1% of our customers—specifically, a limited number of users on our Shopify app. While the impact was contained, we recognize the severity of this incident and are treating it with the utmost seriousness. The vulnerability was permanently resolved within one hour of detection.
‍

Frequently Asked Questions

Alert Coverage
‍Current Disputifier users: Your alert system remains fully operational and will continue preventing chargebacks.
Recent uninstalls: If you uninstalled Disputifier today, we will still manage your alerts and process refunds throughout the weekend.
Please ensure we maintain active collaborator account access to process refunds during this period.

‍Impact on Current Merchants
‍As previously stated, no merchants will incur financial losses from this incident. We temporarily disabled access to our merchant-facing app as a precautionary measure. While app access is unavailable, your alert system continues functioning normally and refunds are still being processed. We will restore full app access as quickly as possible.

‍Moving Forward
‍Disputifier remains committed to protecting merchants from chargebacks.
‍
We are making substantial investments in cybersecurity infrastructure to prevent future vulnerabilities and ensure rapid resolution of any issues.
‍
We are actively cooperating with law enforcement in their investigation.
‍
We sincerely appreciate the support we've received and will provide updates as new information becomes available.

For questions or concerns, please contact us at incidentresponse@disputifier.com