Seiko USA Website Defaced, Hackers Claim Shopify Data Theft

Seiko USA’s website was defaced over the weekend with a ransom note claiming a Shopify backend breach and a 72‑hour deadline to prevent data leak.

Visitors to the Press Lounge section saw a bold “HACKED” header and a message stating that attackers had accessed the company’s Shopify system and exfiltrated customer names, emails, phone numbers, order history and shipping details. The note demanded that Seiko USA locate a specific customer account ID in its Shopify admin, use the associated email to negotiate, and respond within 72 hours or face public release of the alleged data.

The defacement was first spotted on April 18, 2026, by a security researcher who shared a screenshot on social media. By the following day the malicious content had been removed, and Seiko USA had not issued any public statement confirming or denying the breach. Independent verification of the data theft has not been published.

If the attackers’ claims are true, the exposed information could enable identity theft, credential stuffing, and targeted phishing. Even without proof of exfiltration, the defacement erodes trust and signals potential weaknesses in administrative controls, such as insufficient multi‑factor authentication or over‑privileged API keys.

What Defenders Should Do - Enforce mandatory two‑factor authentication for all Shopify admin accounts and review login logs for anomalous locations or times (MITRE ATT&CK T1078 – Valid Accounts). - Rotate and restrict API keys, applying the principle of least privilege; monitor for unexpected API calls that read customer objects (T1041 – Exfiltration Over C2 Channel). - Deploy a web application firewall with rules to block known exploitation attempts against Shopify apps and plugins (T1190 – Exploit Public‑Facing Application). - Enable Shopify’s security alerts for changes to customer data, account permissions, and app installations. - Conduct a credential audit: reset passwords, remove unused staff accounts, and verify that no third‑party app retains excessive scopes. - Follow Shopify’s Security Best Practices guide and apply any relevant advisories, such as the 2023‑04 API security update.

Watch for an official statement from Seiko USA and for any appearance of the alleged customer data on underground forums or leak sites.