Shopify Spam Customer Accounts with Real Email Addresses

Pathfinder
101 1 20

My recent bot sign ups are new account creation with gibberish names and lately all emails end in yandex.ru. I don't think the recipients are going to be bothered by my account confirmation emails but I am concerned about my reputation with gmail. I've never had account creation as a requirement, btw.

 

 When I had my newsletter sign up form enabled, the difficulty was when the names and emails were legit and I had to go google search and risk my mailchimp spam reputation by sending the 'maybes' a newsletter.

 

Also a issue is that my admin shows customers that my analytics account does not. Disheartening to think that most of the customers in my shops are bots. I don't want to see that every time I open my admin:/

 

0 Likes
Tourist
11 0 13

Spot on @SubstanceUK  Yes, they are getting in via a hidden form on Shopify's stores. I was able to test this by simply getting a code guru to completely remove my CREATE ACCOUNT coding for a few days and guess what? YES the bots got in with NO create account form on my site and also I had removed /hidden my newsletter sign up form on my homepage. I believe the reCaptcha and all the the other apps work fine but if the bots have a hidden form they can access then there's no point in installing those apps. I even went an extra mile by having a code guru rearrange my CREATE ACCOUNT page field to EMAIL, FIRST NAME, LAST NAME, PASSWORD & CONFIRM PASSWORD and had those field with a REQUIRED/* but NO, bots don't see that, they have the basic Shopify hidden form. It really saddens me to see so many people affected by this. I'm NOT happy with Shopify's 'NON-RESPONSE/-get-an-app-fix-it-solution' and therefore I'm in the process of moving elsewhere. I'm aware there are pros & cons with every platform but ONE of my option is BigCommerce. They seem to have some serious security systems in place for their customers. E.g checkout their CREATE ACCOUNT pages with detailed REQUIRED/* form fields and their SSL encryption just to name a few. I emailed and even spoke to some random BigCommerce store owners and was really pleased with their experiences.    

1 Like
Highlighted
Tourist
11 0 13

@JenMDoss I posted this reply to someone on here but didn't want you to miss it. So here it is...

Yes, they are getting in via a hidden form on Shopify's stores. I was able to test this by simply getting a code guru to completely remove my CREATE ACCOUNT coding for a few days and guess what? YES the bots got in with NO create account form on my site and also I had removed /hidden my newsletter sign up form on my homepage. I believe the reCaptcha and all the the other apps work fine but if the bots have a hidden form they can access then there's no point in installing those apps. I even went an extra mile by having a code guru rearrange my CREATE ACCOUNT page field to EMAIL, FIRST NAME, LAST NAME, PASSWORD & CONFIRM PASSWORD and had those field with a REQUIRED/* but NO, bots don't see that, they have the basic Shopify hidden form. It really saddens me to see so many people affected by this. I'm NOT happy with Shopify's 'NON-RESPONSE/-get-an-app-fix-it-solution' and therefore I'm in the process of moving elsewhere. I'm aware there are pros & cons with every platform but ONE of my option is BigCommerce. They seem to have some serious security systems in place for their customers. E.g checkout their CREATE ACCOUNT pages with detailed REQUIRED/* form fields and their SSL encryption just to name a few. I emailed and even spoke to some random BigCommerce store owners and was really pleased with their experiences.  

 

NOTE: I asked a theme support guru to replicate BC's detailed CREATE ACCOUNT page with the reCaptcha just above the CREATE button but I was told Shopify doesn't allow that. Why don't they??? I think it will definitely help. I hope this is helpful info.

4 Likes
Shopify Partner
22 0 28

Having the exact same issue as everyone else, Spam accounts being created with real/stolen emails.

 

Blog comments spam with gibberish. Exactly the same.

 

Solution: Discontinue flawed, faulty products (Shopify) and move to functional ones. Try Square, WordPress/WooCommerce, LightSpeed, vend, etc

 

I laughed my ass off seeing this thread, not surprised one single bit. Shopify are one of the worst, most pathetic and careless companies Ive ever had to deal with. Their customer service team will actively lie to you, over and over. I write these posts as a result of the service (therefor lack of) that I have been given, for too long.

 

Their procedures are as follows (read any issue thread in this forum for confirmation of this):

-Customer brings up issue with faulty product

-Shopify rep responds with bullshit wall of text, no actual solution, recommends a 3rd party PAID $$$$ solution to fix an issue with their core product.

-Shopify rep leaves issue thread, never to be seen again and closes the issue on their end, pretends its now fixed.

-Customer repeats the issue was never resolved, including some gullible people who paid for a 3rd party fix, to find it did not resolve their issue either.

-Shopify: Crickets...

-More and more Customers continue to raise core issues.

-Shopify: Crickets...

 

This is a time honoured tradition at Shopify. Honestly, they should be ashamed of themselves. Enough is enough.

4 Likes
Excursionist
13 0 4

@Orange-20 Thank you for the info! 

0 Likes
Explorer
68 1 34

@MJC wrote:

Hi, Do not worry I did not click on the link, but when I hover over the email address it just show "mailer@shopify" Which is my area of concern however you are correct most emails of this sort will show a different email address and are easy to spot.


I believe the mailer@shopify is your contact page.  Someone fills out the form and it's emailed to you from mailer@shopify.  I used to get quite a few of those "my friend, mother, sister" didn't get their order emails also, on top of a bunch of contacts about people wanting to write articles for things that weren't even related to my store.  Been getting those for over a year.  Ironically that was before the fake accounts started happening, those decreased when the fake accounts and spam blog comments began, so maybe they updated their attack.

 

Since I installed Shop Protector (been two weeks) that's all basically stopped, no more accounts and no more Spam emails.  It did not fix my blog comment issue though so I'm still operating with comments off.  Granted I still believe this is something Shopify is responsible to fix, this is a clear flaw in their security.  But if you care about the effects this may have on your brand I suggest installing the app, Shopify may very well get around to fixing the problem, but I've been here for about 5 years and can vouch that it will be MONTHS before it gets fixed, because I had a laundry list of issues at one time and it took 6 months to a year for them to get fixed, whether they intentionally fixed them or they got fixed by accident when they changed something else who knows.  

 

Shopify has a bad habit of not testing things when they make back end changes.  I can't tell you how many times I've contacted Support with an issue that according to them I was the first person to discover.  I contacted them a month or so ago because I could not download the updated version of the Shopify Android app, it was missing from the Google Play store.  Turns out for some reason they marked it as not compatible with my phone (a OnePlus One), I had to find the updated version of the app on another site, side load it on my phone and it works perfectly fine (so it is compatible).  The support person was totally oblivious, and last time I checked they still haven't fixed it, my device is still showing as incompatible and I still can't download it from the Play store, so from here on out I'll have to be side loading the app!!  I even half sarcastically offered to be a beta tester for them, because it appears I know more about their system they than do, which I probably do considering I'm working on my site 7 to 10 hours a day.

1 Like
Excursionist
13 0 16
@Jim_West Hi Jim, Thank you for your reply, I actually use "Improved Contact Form" as a means of customers contacting me as well as info@mysite name. It could be (I am guessing) either there is a hidden contact form that spammers are using or just sending emails to my info@ address. However I am surprised that despite everybody's concerns being listed here and also users raising the issue with Shopify support there is no response on this forum or it would appear a solid reply. I am hesitant to use another paid for app as I believe that this is the type of issue that should be fixed internally and further think people need to vote with their feet if this type of problem is not resolved. I am researching other platforms forums to see how their issues get handled. Shame really as I did quite like Shopify.
1 Like
Explorer
68 1 34

@MJC I completely understand your reasoning, unfortunately not everyone can simply pickup their site and move it to another platform.  I know because I tried it last year when Shopify out of the blue kicked me off Shopify Payments during the holiday season.  I was so ticked off I wasted the best sales month of the year (December) trying to convert my entire website over to Bigcommerce, instead of listing new inventory, only to discover even with Shopify's flaws and inconveniences it was still a better fit for me.  The way I look at it you can spend your time dwelling on the small things or spend your time grinding it and making money.  At this point in the game I'm selling better on Amazon and eBay than my own site, but I use my site as a home base for my entire inventory and consistently work on it to the point where it will eventually be my #1 sales channel.  When that point happens I will likely look for alternatives to Shopify, but at this point I've tried to stop sweating the issues.  $5 more a month to protect my brand is worth it for me instead of spending weeks trying to find a fix myself or attempting to move my site again which is not as easy to convert over as the competition (who will say anything to get your business) will lead you to believe it to be.  But everyone is at a different stage.

0 Likes
Tourist
13 0 33

I've finally had a decent response from a Shopify customer service representative. I was on the call for around an hour and the best suggestion she could offer was to remove the email sign-up form on the homepage.

The when completed by a human, the sign-up form tags an email address as 'Newsletter' and doesn't contain data in the first and last name fields. 

 

When we get a Bot Sign Up the customer account, they have data in the first and last name fields and aren't tagged with anything. They're also marked as 'has an account' within the Shopify admin, although a few of our stores have had the account creation forms removed as they're wholesale and by invitation only.

 

She stated that as the API is open on the homepage then the bots could be using the email form to complete the sign up process. I'm going to try removing this form and see how we get on. I had to be very insistent when pushing the idea that the bots aren't using a contact page form or an account creation form to sign up. 

I'll let you know how I get on with this.

2 Likes
Tourist
13 0 33

Update - removing the email form has made no difference whatsoever.

 

This issue is a game changer for us.

 

 

0 Likes