Update on the new account creation by the Russian bots: 103K!
We are now averaging 45 new accounts every 15 seconds and I haven't heard a peep from Shopify support since I live chatted with them ealier when I posted here.
Some Russian hacker found a hole in the way Shopify allows customers to create accounts and is exploting it like a DDoS attack of sorts.
I wish they would fix this issue if they've known about it for years.
I tried the Ellipsis Human Presence Technology app and it does absolutely nothing.
I am sure they are sweating it. There is a point where if 500,000 shops all start accepting 100,000 new accounts per 8 hours... Shopify will cease to operate. Period. Can you imagine the sweating going on right now? It is likely Old Spice stock is a super buy right now!
The Ellipsis Human Presence Technology app works, but you need to complete few steps to set it up before your site is protected. If you are confused about what to do, I'd recommend emailing John from Ellipsis, and he can walk you through the steps. Once you set it up, the protection kicks in after a few minutes.
Would Temporarily disabling customer accounts effect the current "real" accounts? If we disable the ability to have accounts, this stops completely for this bombardment of new accounts as well as legit ones.
I want to know if we can and it won't have any negative effect on current accounts.
@Moto Werk, We completed all the steps it had us do and nothing seemed to happen at all. It shows suspicious vs real, but it's not detecting these new accounts because they are skipping the form on the page completely and using a browser script to create accounts on the backend it seems.
@Moto Werk, thanks for alerting us to the issue.
@Brian, this is John from Ellipsis Human Presence Technology. Thanks for your interest. I'd be happy to help you solve the issue. I took a look at your setup and it appears you were about 75% complete with the 4 step process. I took care just took care of the last step for you. If you would like to re-enable the account signups on your store I'd be happy to try creating a test account. You shouldn't receive any more spam account signups.
@John Schulz We are working with Shopify to resolve this, it shouldn't have happened because of a flaw in their system. If they come back with no solution, we'll give the app a try. Thanks.
For now, we had disabled customer accounts on the website and put a stop to these spammers.
It stinks it also effects current real customers, too. :(
@Brian We disabled customer accounts as well, but that only worked for 24 hours, after which time the bot attacks resumed. The problem is two-fold: (1) some bots automatically use the customer account registration form, while (2) other bots exploit the Shopify programming code in the liquid theme that is not connected to the customer account at all. Shopify has no solution whatsoever. We waisted several weeks on this issue with them. If you read my original post carefuly, you can see that I quoted the Shopify guru final reply. Here it is again:
"Our escalated technical team had a deep dive into the entries and how they're being created using the tools at their disposal - essentially, because of the template-based way that Shopify sites are often created, bots can sometimes be programmed to access their code regardless of which entry points are offered on the site itself.
Removing mailing list signups and links in the header (like you had done) will help, but the best way to put a halt to bots is to use specialized software like the Ellipsis app that you've installed. .."
Again, once we completed all the set-up steps with Ellipsis, the app fixed the bot problem. We have not had even 1 bot attack or fake account since then.
Hope that answers your questions.