Jumping in on this thread as I'm having the same issue. I figure the squeaky wheel gets the grease, so I've been conversing with tech support, to inquire about the current status of the issue and be another reminder to them that it's something that needs to be addressed. I was advised that their development team is aware of it but there's no timeline. I shared with them "Telling someone there's no timeline is like telling them it's not a priority."
Further into our discussion, the guru suggested I try an app to aid in prevention of these, to which I replied "I may look into it if this persists as a temporary alternative, but I feel that this is an issue that should be addressed in the core code, by Shopify, as a part of standard security and my investment into Shopify, and an app should not be necessary to prevent these from getting through."... "Me and a lot of other vendors I think are on the same page I believe. Apps offer wonderful ways to enhance and accessorize a site, but this is a basic security issue that should be addressed through and by Shopify as a part of its standard operation and continued improvement."
The guru agreed and has shared that they will *supposedly* escalate the issue to the "Merchant Frustration" team. Folks, keep in contact with Shopify support to let them know this is an issue that concerns you and you want addressed. Individually our complains seem only personal, but collectively they reveal a larger, more concerning security issue. The more support tickets and complaints they get, the more attention it will receive and the higher it will get prioritized. Squeak, squeak, squeak...
Just talked to a Shopify Guru about this situation. They did reiterate that no timeline was available but the Guru would send feedback to the dev team who is working on this issue. I told them that this has been an issue for at least 4 years and security on our sites should be top priority. We are a newish online store and we are still working on adding all of our products to the site. But getting 20-40 new registers a week for such a small store like ours is crazy. I can't imagine the 2k another store was getting!
My store has also recently (around 3 weeks ago) become the target of these annoying, if (apparently) benign bots. Fortunately, I haven't experienced anywhere near the level that some have mentioned (thousands per day - eek!). So far, it's only been less than 10 per day. I was also getting garbled "comments" on some of my blog postings, but I locked out the ability to comment a while back and have apparently put an end to that (so far, at least)...
I've tried several of the workarounds mentioned (reCAPTCHA v2, v3), removing the "Sign in or Create an Account" section on my home page - all to no avail. The only thing that seems to work for my store is disabling the customer accounts through the Admin->Settings->Checkout->"Accounts are disable" button is selected. That means I have to manually enter the customer information when an order is placed, which I'm willing to do. The thing that annoys me the most is that the vast majority of the Customer accounts I have over the past 3 years come from actual purchasing Customers and Newsletter registrations. It puts a burden on the shopkeeper to "babysit" their Customer Accounts logs to ensure that they aren't being overwhelmed with fake Customer Accounts, when I feel that Shopify (who is quite aware of the problem, as it has existed for several years according to this thread posting), should be working more aggressively to fix the vulnerability wherever it is on their API code to stop this in its tracks.
I'm not inclined to shell out $5.00/month for an app that works for some and not for others, more or less successfully. My having to pay money to a 3rd party developer to keep the bots at bay essentially gives the bots a win. Having to babysit my Customer accounts logs gives the bots a win. The various responses I've received from the Shopify Gurus (who are sympathetic to this issue, but apparently not in a position to actually **help** me) has been mixed. The latest Guru basically told me that my options were to lock down my Customer creation ability and wait things out until the bots lose interest and move on to their next victim, or shell out money to a 3rd party developer, whose app, "Shop Protector" doesn't **guarantee** 100% elimination of bot activity. I've tried the "reCAPTCHA" option, which may actually be working, but hasn't eliminated the issue - but at least there was no charge for the effort. I'm beginning to wonder whether I should be looking around for a different web hosting company that offers decent ecommerce websites with more robust support...
Here's another thread going on this issue: https://community.shopify.com/c/Shopify-Discussion/Shopify-Spam-Customer-Accounts-with-Real-Email-Ad...
Also I'll add an app called Shop Protector has completely stopped the Spam accounts on my site, but I also was getting hundreds of Spam comments on my blog posts a day using the same information that was being used to setup those accounts. The app did not stop those so I had to shutdown the comment section in my blog. Shopify needs to stop fooling around with Admin panel design changes and work on this issue!
|35 seconds ago|