What about security? For example, how to track an attempt to hack a personal account in time so that the hacker does not have time to buy goods on the site (in case of a successful hack)?

1. Is it possible to withdraw money from the system? If so, which payment systems? If not, then what's the point of a kullhacker breaking someone's account? However, steam has a similar service, money cannot be withdrawn, study it.
2. Are the goods digital or physical?
3. Can I use my personal account to make purchases only in your store? If not, then consider that you are becoming a payment system.
Do not take it for rudeness, but, frankly, the idea is crazy, you complicate your life with functionality that is completely unnecessary for customers.
ps
If you really want to, then use SMS OTP to authorize orders from your personal account.
1. The client placed an order in IM from an internal wallet.
2. An SMS is sent to the client's phone "You have placed an order for the amount, to confirm, enter the code sent in SMS"
Do not forget that you also need to control the change of bodies. numbers. N.p. to confirm the change of tel. numbers in your account, you need to confirm this action via mail (mail "confirm change of phone number" comes).
And yes, you have a stupid idea :)

You can track a hack attempt as follows. First, set up two-factor authentication. Second, control failed login attempts. Authentication servers support the functionality of account lockout upon multiple unsuccessful login attempts.
As a two-factor in your case, I recommend OTP (OATH HOTP, TOTP) in issuing hardware tokens, either an application on a smartphone, or via SMS.
You can require confirmation of the purchase by the user's phone number or by email. Simply put, use the second channel to confirm your order. Then compromising the account will not allow spending the client's funds.
You can also remove the fingerprint print on the user's keyboard during registration, and then check the compliance. This is also essentially authentication.
Well, checking by IP the place where the user came from is not superfluous. If a user lives in Saratov, and suddenly buys software with all the money while in Zimbabwe, then feel free to suspend the order and perform an additional check.