A critical vulnerability in Disputifier, a popular Shopify chargeback management platform used by over 3,000 merchants, exposed sensitive business data belonging to more than 200,000 stores—and the company turned down researchers who offered to help fix it first.
Security researcher Serb, operating under the handle @BagAnnihilator on X, disclosed the breach after Disputifier allegedly refused to engage in bug bounty negotiations or accept assistance in patching the flaw. "The vulnerability left every single piece of data available for extraction," Serb wrote, posting evidence that included store names, Shopify URLs, owner details, email addresses, phone numbers, complete business addresses, API tokens, and payment processor credentials.
The leaked screenshots reveal an alarming scope: numbered entries exceeding 1,800 stores with "total alert counts" ranging from 66 to 69 per merchant, alongside unmasked Shopify authentication tokens that could grant attackers direct access to store backends.
One exposed record showed full merchant details, including CRM integrations (Shopify, Konnektive), billing configurations, and API keys—the digital skeleton keys to entire e-commerce operations.
What makes this incident particularly troubling is the timeline. The vulnerability reportedly existed long enough for researchers to discover it, attempt responsible disclosure, and ultimately go public after being rebuffed.
Just wanted to provide an update to everyone who has seen today’s news
— Disputifier (@disputifier) January 10, 2026
There was a security vulnerability which led to an exploit that a hacker used to refund Shopify orders across a handful of our clients.
However, no clients have taken or will take any financial losses
Most…
Disputifier has acknowledged the incident but has not publicly detailed when the exposure began, how many records were actually accessed by malicious actors, or why they declined the researchers' offer to coordinate a fix privately.
For affected merchants, the risk extends beyond privacy concerns. Exposed API tokens could enable account takeovers, fraudulent transactions, or data manipulation. Payment processor credentials (Shopify, Stripe, PayPal) in the wrong hands create direct financial exposure.
Immediate Actions for Disputifier Users:
- Rotate all Shopify API keys and access tokens immediately
- Review recent store access logs for suspicious activity
- Update payment gateway credentials
- Monitor bank accounts and processor dashboards for unauthorised transactions
- Consider the temporary removal of the Disputifier integration until security assurances are provided
The incident underscores a persistent problem in the SaaS ecosystem: when companies dismiss security researchers, everyone loses. Bug bounties exist precisely to prevent these public disclosures—and the real-world damage that follows.