Mailchimp API Exposure FAQ

The following is an overview of the potential API exposure incident with the Mailchimp Newsletter Element. For answers to your specific concerns, please navigate to the FAQ list below.

On April 30th, we detected a potential security gap within the Mailchimp Newsletter Element that exposes MailChimp API keys publicly, which may result in spam emails for stores that use the element. The issue has been resolved thoroughly and completely at the beginning of May. Alongside internal investigations, we have also brought on an outsourced security firm to support in securing customers' information and data.

 

Our application is still running and supporting existing users who have installed our app before May 1st. However, we are delisted from the Shopify App Store as a precautionary measure following Shopify’s Partner Policies. This means we cannot welcome new installations. 

 

Though we regret that we cannot welcome new members, our team at GemPages is taking this opportunity to improve our product and services for all current and future customers.

API Exposure

What do you mean by ‘API exposure’?

When an API is exposed, the public API key is printed at the front end of the pages. This vulnerability can be exploited to gain access to the email list recorded by the Mailchimp element.

 

Who is impacted by the API exposure? And how many stores?

Stores that use the Mailchimp element to collect user emails. Approximately 3,000 stores and 9,000 pages were affected. 

 

What kind of shop data was exposed? 

Only the email data that you provide and receive from Mailchimp was exposed. All data to use or as a result of our Services such as personally identifiable information, financial information, user history, user-generated data...etc. are secured and are in no way impacted by this event. For more information on how we collect, process, and share data, please refer to our Privacy Policy

 

Did the API exposure put us at risk of malicious code being present on pages that use GemPages? 

No, the only impact is that your email data is presented on pages, which means others may use it for spamming purposes. We take data privacy very seriously and have taken the necessary steps to secure the data for our users, as well as preventative measures to ensure these risks will not happen again. 

 

Will the issue be fixed by the time GemPages is listed again? 

The issue was already resolved at the beginning of May. And for us to be on the Shopify App Store again, we must meet the strict requirements set out by Shopify to protect customer data. A security firm will be reviewing our application, along with Shopify before GemPages is republished again.

 

Is the current version of GemPages safe to use? 

Yes, the current version is safe. Customer data will not be at all affected. 

 

How do I know if my current Mailchimp account is compromised? If yes, what should I do? 

If your API key is exposed, you would have received a notification from Shopify. We have processed and resolved the issue thoroughly in all affected stores. To continue using the Mailchimp element, please refer to our Help Center article

Delisting

I don’t use the Mailchimp element, why is this important? 

Due to the API exposure, Shopify has delisted our app from the Shopify App Store. As a result, new stores will not be able to install our app. 

 

Does this mean GemPages is shutting down? 

No, GemPages is still running and supporting merchants who have installed GemPages before May 1st. If things go well, we will be back on the Shopify App Store by early November!

 

Will my pages still be live if GemPages is delisted?

Yes, your pages will still be live regardless of our status. 

 

Can I purchase/sell stores that have GemPages installed?

Yes, you can purchase/sell stores with GemPages installed via Shopify Exchange or other platforms. However, we will not be selling any stores nor will we be liable for damages resulting from any store exchange. 

 

I need to build stores for my clients, can I install GemPages elsewhere?

Though we are working towards a headless system, you cannot install GemPages anywhere else at this point. If your client has already installed GemPages in the past, they can use a subscription. 

 

When will GemPages be back?

The app will be eligible to be republished in early November 2021. 

 

Is there a possibility you won’t be back by November?

Shopify declared that the app will be qualified for republishing by early November if we uphold its quality standards. There is a possibility since Shopify is the final arbiter, but we will do everything we can to meet all of their requirements by that time. 

Subscription

I have already installed and purchased a plan, is the app impacted in any way?

You can still create, edit, and publish pages as per usual. 

 

Can I downgrade my plan?

Yes, you can make changes to your plan at any time as usual.

Damages

I cannot install GemPages for my new store and that is costing me a lot of money, am I liable to claim damages?

We understand that this issue has created a major inconvenience for you. Though we sympathize with your frustration, unfortunately, you are not liable to claim compensation. Please refer to our Terms of Service for more details.

 

I have switched to another page builder and it is costing time, will I be compensated?

Though we are sad to see you go, unfortunately, we cannot offer you any compensation due to this event. Please refer to our Terms of Service for more details.

Uninstall

What happens to my data after I uninstall the app?

For detailed information on this matter, please refer to our Data Retention Policy.

Contact

We understand that this comes at an inconvenience for many of our members. We hope that we receive your understanding and support at this time. For support in your case, please do not hesitate to contact us at support@gempages.help or via live chat


Was this helpful?