Your Shopify store is hacked. Maybe customers are reporting phantom charges. Maybe you logged in this morning and orders look strange. Maybe Shopify itself flagged your store. The next 4 hours determine how much damage this becomes. This guide is the emergency response playbook — what to do in the first 15 minutes, the first hour, the first day — and how to harden the store so it never happens again.

First 15 minutes: stop the bleeding

1. Take your store offline. Online Store → Preferences → Password page. Set a password. This stops new orders, new customer accounts, and new checkout attempts. Critical — every minute you stay live with malware is more stolen cards.
2. Change the store owner password. Use a brand new, never-before-used password. Sign out every other session.
3. Enable 2FA on the owner account if not already on. Use an authenticator app.
4. Check active sessions. Settings → Users → see active sessions on the owner account. Sign out all unknown devices.

First hour: investigate

1. Review the staff list. Settings → Users and permissions. Remove any unfamiliar accounts. Force password reset on all remaining accounts. Enable 2FA on each.
2. Audit installed apps. Apps → Installed apps. Uninstall any app you do not recognize, any app you have not used in the last 90 days, and any app with broad permissions (manage orders, edit theme) that you do not actively need.
3. Check the audit log. Settings → Plan and permissions → Activity log. Look for theme edits, staff additions, app installs, or order modifications you did not make. Note the timestamps and IPs.
4. Diff your theme. Online Store → Themes → Edit code. Compare against your last known-good backup. Look for unfamiliar JavaScript or modified core files.
5. Check for unauthorized orders. Fulfilled? Refunded? Cancelled by an attacker to mask theft? Document each suspicious order.

First day: contain and recover

1. Restore the theme from a clean backup if you have one. If not, duplicate the current theme, strip out anything suspicious, then publish.
2. Reset all customer passwords for accounts that show suspicious activity. Email affected customers and let them know.
3. Refund any fraudulent orders that were placed during the breach window. Better to refund proactively than absorb chargebacks later.
4. Notify Shopify Trust and Safety. Submit a report at shopify.com/security/report. They may be tracking the same attacker.
5. File the incident with your payment processor if cards may have been exposed. PCI rules require notification.
6. Re-take your store live only after every step above is complete and your theme is verified clean.

First week: prevent re-infection

• Install ShopFence Plus for real-time theme scanning. The moment any theme file changes unexpectedly, you get an alert.
• Block the source. If the attacker used a specific IP or country, block it permanently.
• Enable customer 2FA if you sell high-value items.
• Set up VPN/proxy detection if the attack came through proxies.
• Review every app’s permissions. Revoke “theme edit” or “manage orders” from anything that does not actively need it.
• Document the incident. Write up what happened, when, how you detected it, what you did. Keep it in a runbook so the next time (if there is one) the response is faster.

The 5 most common Shopify hack vectors

• Phished staff account. A staff member clicked a fake Shopify login email. The attacker used their credentials to add an admin or edit the theme.
• Compromised third-party app. An app developer got breached. Their update pushed malicious code to your store.
• Malicious “free premium” theme. Downloaded outside the official Shopify Theme Store. Came pre-infected.
• Owner account password reuse. Your owner password was the same as a password breached on another site.
• API token leak. A custom integration’s API token leaked (committed to public GitHub, posted in a screenshot, shared with a contractor who left).

2FA + unique passwords + careful app management + real-time theme scanning eliminates 90% of these vectors.

Frequently asked questions

What do I do if my Shopify store is hacked?

Take the store offline (password protection page), change the owner password, enable 2FA, audit staff and apps, review the activity log, restore the theme from a clean backup, notify Shopify Trust and Safety, refund any fraudulent orders. Then harden with real-time monitoring.

How do I know if my Shopify store is hacked?

Signs include: customer complaints about phantom charges, sudden spike in chargebacks, unfamiliar staff accounts, theme files modified outside your edit history, orders placed at times you were not active, or Shopify itself flagging your store.

Will Shopify recover my hacked store?

Shopify Trust and Safety will assist with platform-level recovery (suspending suspicious sessions, providing audit log access). They cannot recover lost orders or refund affected customers — that is the merchant’s responsibility, sometimes covered by Shopify Protect.

How long does it take to recover a hacked Shopify store?

Stop-the-bleeding response: 15 minutes. Full investigation and theme cleanup: 2-4 hours. Long-tail (customer notification, refunds, payment processor reports): 1-2 weeks. Add real-time monitoring to detect the next attempt instantly.

Should I close my Shopify store if it was hacked?

Almost never. Temporary password-protection (Online Store → Preferences → Password page) gives you time to investigate without destroying your business. Closing the store costs you all your SEO equity, customer data integrity, and operational momentum.

Recovery + prevention in one move

After the immediate response, the single highest-leverage prevention is real-time theme scanning. ShopFence Plus ($8.99/mo) catches unauthorized theme changes within minutes — so the next time someone tries to inject a skimmer, you know before any customer hits checkout. Read our malware guide and the complete 2026 security guide for the full picture.