Automation Security: 5 Mistakes That Expose Your Business Data

MISTAKES & TROUBLESHOOTING • 9 min read

Every automation workflow is an attack surface. When you connect Shopify to QuickBooks to ShipStation, you are creating data pipelines that carry customer PII, financial records, and business-critical operational data. A security flaw in any single connection exposes everything downstream. Yet security is consistently the most neglected aspect of automation architecture. Teams obsess over functionality and ignore the fact that their API keys are stored in plaintext, their OAuth tokens never expire, and their automation platform has unrestricted access to every system in their stack.

Here are the five security mistakes we encounter most frequently, along with the specific steps to remediate each one.

Mistake 1: Hardcoded API Keys and Credentials

This is the most egregious and most common security failure. API keys for QuickBooks, ShipStation, Stripe, and other platforms embedded directly in automation scenarios, stored in webhook URLs, or pasted into configuration fields without encryption. In Make.com and Zapier, credentials stored in connection objects are encrypted at rest, but any API keys placed in HTTP module headers, URL parameters, or custom code modules are stored as plaintext in the scenario definition.

The risk is not theoretical. When a team member exports a scenario to share it, those API keys go with it. When a contractor is granted access to the automation platform for troubleshooting, they can view every hardcoded credential. When the automation platform itself experiences a breach, your keys are exposed.

Fix: Use the platform's native connection management exclusively. Never place credentials in URL parameters or custom headers. For Make.com, store sensitive values in the Data Store module with access controls. For custom integrations, use environment variables or a dedicated secrets manager like AWS Secrets Manager or HashiCorp Vault. Rotate all API keys on a 90-day cycle.

Mistake 2: Excessive Permission Scopes

When setting up OAuth connections, most teams accept the broadest permission scope available because it is the path of least resistance. Your Shopify integration does not need write_customers, write_products, and write_orders if all it does is read order data. But during initial setup, granting all permissions avoids permission errors, so teams take the shortcut and never revisit it.

Permission Scope: Over-Provisioned vs. Least Privilege Over-Provisioned (Risky) read_orders, write_orders read_customers, write_customers read_products, write_products read_finances, write_finances read_inventory, write_inventory Blast radius: EVERYTHING If compromised, attacker can modify all data Least Privilege (Secure) read_orders (only what's needed) write_orders - NOT GRANTED customer access - NOT GRANTED financial access - NOT GRANTED inventory access - NOT GRANTED Blast radius: Read-only orders If compromised, no data modification possible

Limiting OAuth scopes to only what is required dramatically reduces the blast radius of a compromised credential.

Fix: Audit every connection in your automation platform. Document exactly which scopes are granted and which are actually used. Reauthorize connections with minimal scopes. For Shopify, create a custom app with only the specific permissions your workflow requires instead of using a full-access private app token.

Mistake 3: No Audit Trail for Automated Actions

When a human creates an invoice in QuickBooks, there is an audit trail: who created it, when, and from what IP address. When an automation creates an invoice, the trail typically shows "API" or the app name, with no granularity about which workflow triggered the action, what data was in the original request, or whether the action was triggered by a legitimate event or an anomalous one.

Without detailed logging, you cannot detect unauthorized access, trace data discrepancies to their source, or demonstrate compliance during audits. The absence of an audit trail does not just create security risk. It creates accountability gaps that make every other problem harder to diagnose.

Fix: Implement structured logging for every automated action. Each log entry should include: timestamp, workflow ID, trigger event, input data hash, action performed, target system, response status, and execution duration. Store logs in an immutable system (not the automation platform itself) with a minimum 12-month retention period. For businesses in regulated industries like medical supply, longer retention may be required.

Mistake 4: Unencrypted Data in Transit Between Systems

Most major platforms enforce HTTPS for their APIs, but automations often involve intermediate steps that bypass this protection. Webhook URLs that use HTTP instead of HTTPS. Data written to shared Google Sheets or Airtable bases that are accessible to anyone with the link. CSV files emailed as attachments containing customer data. Each of these creates an unencrypted data exposure point.

Fix: Audit every data flow in your automation for encryption. All webhook endpoints must use HTTPS. All shared documents must require authentication. Never email data files that contain PII. If you must use intermediate storage, encrypt the data at the application layer before writing it, and decrypt only at the point of consumption.

Mistake 5: Abandoned Connections and Zombie Workflows

When you stop using an automation, do you delete it? Most teams do not. They turn it off and forget about it. The problem is that the connections those workflows established, the OAuth tokens, API keys, and webhook endpoints, remain active. An abandoned Zapier connection to your Stripe account still has valid credentials, even if the Zap has not run in a year. If the automation platform is compromised, those dormant credentials are just as exploitable as active ones.

Fix: Conduct a quarterly connection audit. Deactivate and revoke any connection that has not been used in the past 90 days. Delete abandoned workflows entirely rather than just pausing them. Review your connected apps list in Shopify, QuickBooks, and Stripe to identify and remove any apps or integrations you no longer use.

Security in automation is not an optional add-on. It is a fundamental requirement. For businesses handling financial data through automated invoicing or processing orders through platforms like ShipStation, a single security failure can expose thousands of customer records and trigger regulatory consequences.

"The weakest link in your automation security is not the platforms themselves. It is the connections between them and the humans who configured those connections without thinking about threat models."

If you are unsure about the security posture of your current automations, our free automation audit includes a security review that identifies credential exposure, excessive permissions, and missing audit trails. See also our article on over-engineering, because unnecessary complexity creates additional attack surface.

Tired of Debugging Broken Automations?

Our automation engineers build bulletproof workflows with proper error handling, monitoring, and recovery. Get a free process audit.

Book Your Free Process Audit