Sezzle Plugin on Shopify Compromised?

SEO expert Jesse Hanley is reporting on Twitter his discovery that 442 stores on the Shopify platform are mining cryptocurrency, apparently without authorization.

Hanley has concluded that the Coinhive javascript has been injected into all Shopify stores running the Sezzle plugin. Hanley intended to inform Sezzle of the possible compromise but could not find someone to talk to at the company when it was very late Saturday night.

The official Twitter account of Shopify Plus did eventually respond with assurances that the issue would be looked at.

For the record, Coinhive does not steal or damage any data. The most harm it does — if it can be called that — is draining some extra electricity from the computers of visitors who visit a website that deploy the script in the web visitor’s browser. Extended nonstop use may result in the shortened lifespan of hardware. Most authorized implementations of Coinhive, however, do ask for the visitor’s permission.

Sezzle Inc. is an alternative payment platform that promises to increase sales and basket sizes by enabling interest-free installment plans at online stores. When you pay with Sezzle, your purchase is split into four interest-free installments automatically scheduled over the next six weeks. Sezzle is based in Minneapolis with an office in San Francisco.