Morning folks,
While we were planning to release the guys this weekend, we had an incident where someone crafted and shared links to the cart that bypassed the password, allowing them to place orders for the guys.
The password was put in place to give Smart Doll Outpost creators a fair chance to secure the dolls first and share their experiences, especially as many folks had concerns about quality.
Normally, links that take you directly to a cart are generated through our backend systems, but this individual managed to do so without access to them. After investigating, we found no evidence that malicious code was injected into the cart session to steal payment details. However, this type of exploit—known as “malicious cart poisoning” or “session hijacking”—can be dangerous, as these links often appear completely legitimate. The fact that someone was able to craft these links suggests they likely have the knowledge to attempt more harmful actions in the future, which makes this a serious concern.
Just to reassure everyone—no customer accounts or payment information were compromised.
To be clear, the platform we use (Shopify) is secure and trusted by thousands of businesses worldwide. This issue wasn’t caused by a flaw in Shopify itself, but by how certain features—like cart link sharing—can be misused when shared irresponsibly. We’re now reviewing how we can limit this kind of exposure moving forward to better protect our community.
Clicking on any crafted cart link from a third party—whether it’s to our store or any other website—can still put you at risk. Attackers may use tactics like:
• Injecting code into a cart to steal personal or payment info
• Tricking you into using a session they still control (session fixation)
• Redirecting you to a fake checkout page designed to harvest credit card details
To stay safe, always navigate directly to websites rather than clicking on cart links shared by others. The only links you should trust are those posted on our official Twitter account.
Unfortunately, we won’t be able to honor the orders placed through these unauthorized links. That said, if you placed an order this way, you’re absolutely not at fault, and there will be no consequences for you. Our concern is with the individual who created and distributed the links.
At this time, this only affects the release of the guys. Other scheduled releases remain unaffected, but if anything changes, we’ll keep you posted.
I know this is disappointing—I’m just as disappointed as you. Thanks so much for your patience and understanding as we work through this.
#smartdoll
