Chicago vintage shop says Shopify account breach led to over $33,000 loss

CHICAGO - A Chicago vintage shop says someone gained access to its Shopify account and took more than $33,000, prompting the business to warn other small retailers to check their accounts.

What we know:

Lost Girls Vintage says scammers flooded their inbox with spam emails to hide real messages from Shopify, the platform they use for sales and payments. By the time they found the important emails, someone had opened a line of credit in the store’s name and charged about $35,000 to the account.

The spam didn’t come in slowly. It arrived fast. Email after email. Promotions the shop never signed up for. A craft market in Germany. A luxury fashion brand. Random newsletters stacked so quickly the inbox looked like it had been hit with a fire hose.

Consumer protection groups say inbox flooding overloads spam filters and confuses people. The real goal isn’t junk email; it’s hiding the one message that matters.

In this case, the hidden messages were from Shopify.

Kyla Embry, who co-owns Lost Girls Vintage, said she recognized the pattern because a family member experienced the same type of scam last year. That memory made her stop before clearing the inbox.

"I needed to look through every single one to see if there was one from a bank or somebody we actually work with," Embry said.

She found several important emails.

One email said a recovery code had been used to access the Shopify account. Embry said she never requested it. Another email welcomed the business to Shopify Credit. Another included financial disclosures for a new line of credit that the owners did not open.

She logged into the account right away.

"That line of credit had been opened and there were $35,000 of fraudulent charges," Embry said. "It was within minutes."

She said there was still unused credit left, so the damage could have been worse. She locked the card, changed passwords, restored account credentials, and reported the fraud.

Millions of stores use Shopify for payments and sales. That’s part of why this fraud works: one account looks just like many others.

Embry said the business had two-factor authentication, but she thinks the scammers found a way around it. 2FA isn’t perfect. Scammers steal recovery codes or use SIM swapping to take over phone lines and get the second security code. 

Experts recommend authenticator apps or hardware keys, since they’re safer than text message codes. Embry shared her concerns while working with Shopify to reverse the charges.

For now, the charges have been reversed, but the case is still open.

Embry said Shopify told her the investigation could take up to 90 days, and the final decision is up to the company. She also said the business can’t close the credit account until the investigation is over. "They could still come back and say they don’t think this was fraud," she said.

"Losing that amount of money is a death sentence for small business," Embry said. "We absolutely could not afford to take that hit."

A few days later, Embry said Shopify locked the business out of its account, calling it suspicious activity. This lockout happened after the fraud had already been reported.

She said the timing seemed backwards.

Since sharing her experience publicly, Embry said other business owners reached out with similar stories. Some involved Shopify. Others involved different payment platforms. Some said their cases were never resolved.

Consumer watchdogs have warned about inbox flooding for years. Their advice: don’t ignore sudden waves of spam. This can target anyone. If something feels off, don’t bulk delete. Look for messages from banks, payment services, or platforms you use.

Set up inbox rules to filter spam and highlight important emails. Use tools like Gmail filters to sort emails by sender or subject or Outlook rules to organize messages. Consider security apps like Spam Titan or Barracuda Security. Use different email addresses for important tasks. Check your accounts often to catch unauthorized activity early.

Embry said that’s why she’s sharing her story. "If you start seeing spam after spam after spam, rapid fire, that’s the warning," she said.

Now, her business handles spam differently. She checks spam folders every day, keeps a close eye on account dashboards, and pays attention to credit settings she didn’t even know about before.

What you can do:

Some routines to practice daily or weekly:

• Check spam folders at least once a day to ensure important messages are not missed.
• Regularly review account dashboards for any unusual activity or changes.
• Stay informed about credit settings and permissions to quickly spot unauthorized adjustments.

FOX 32 contacted Shopify for a comment about Embry’s claims and the Lost Girls Vintage case, but Shopify has not responded.

Small business owners should contact their platform’s support team right away to report the problem. Keep records of all messages. If the platform doesn’t respond, reach out to consumer protection agencies or seek legal advice.