Shopify Spam Customer Accounts with Real Email Addresses

Solved
Excursionist
12 0 25

@Orange-20 

I think we're past the finer points of courtesy towards Shopify on this thread! Lest you be swamped by DMs, I reckon you should give us your tip. (Unless you have a financial interest in this other platform - in which case, tell us your interest and then pitch it to us.)

5 Likes
Excursionist
14 0 5

I agree, I think you should just say the name in this thread of the platform you think is a great option. 

1 Like
Excursionist
13 0 16

Hi Guys,

No financial gains whatsoever....just a small business owner who loves what she does and disappointed with what Shopify is doing to ALL of us. I'm more than happy to share here. So, I'm migrating to BigCommerce!!! ....personally, I think the pros and cons are fantastic. To be honest a few months ago during my research, I came across an old BC conversation thread with bot sign ups to their newsletter sign ups but no bots creating accounts. So I contacted (as they mentioned website in convo) this random BC shop owner and honestly asked her about bot creating accounts. She said "NO" only a few here and there via her homepage newsletter but she had the developers put in a REQUIRED/* for FIRST NAME, LAST NAME, PASSWORD and that really minimised the sign ups but now only gets a few from month to month. This was of interest tome because I'm not getting any bots sign via my PAID Privy account.
 

So here is a little back story on my findings which I posted here a while back....

Yes, they are getting in via a hidden form on Shopify's stores. I was able to test this by simply getting a code guru to completely remove my CREATE ACCOUNT coding for a few days and guess what? YES the bots got in with NO create account form on my site and also I had removed /hidden my newsletter sign up form on my homepage. I believe the reCaptcha and all the the other apps work fine but if the bots have a hidden form they can access then there's no point in installing those apps. I even went an extra mile by having a code guru rearrange my CREATE ACCOUNT page field to EMAIL, FIRST NAME, LAST NAME, PASSWORD & CONFIRM PASSWORD and had those field with a REQUIRED/* but NO, bots don't see that, they have the basic Shopify hidden form. It really saddens me to see so many people affected by this. I'm NOT happy with Shopify's 'NON-RESPONSE/-get-an-app-fix-it-solution' and therefore I'm in the process of moving elsewhere. I'm aware there are pros & cons with every platform but ONE of my option is BigCommerce. They seem to have some serious security systems in place for their customers. E.g checkout their CREATE ACCOUNT pages with detailed REQUIRED/* form fields and their SSL encryption just to name a few. I emailed and even spoke to some random BigCommerce store owners and was really pleased with their experiences.  

 

NOTE: I asked a theme support guru to replicate BC's detailed CREATE ACCOUNT page with the reCaptcha just above the CREATE button but I was told Shopify doesn't allow that. Why don't they??? I think it will definitely help. I hope this is helpful info.

 

NOW....So I noticed one of my business suppliers had this amazing website with all the create account fields that I wanted for my Shopify store....so, yes, I asked them who designed it and they said via BC. She said they (big business) were glad they made the move because their conversion rate went quite high.

 

Sorry for all the details, but I hope you all find it helpful in some ways. Like you all, I personally want my shop to be secure and safe for me and my customers. One more thing....while setting up, I now see why BC don't have a lot of apps on their platform. It's because their themes have all the functionality you need to run a smooth, safe and secure store.

 

Happy to answer (to the best of my ability) more questions if you have any. I REALLY HOPE SHOPIFY step up their game because this has gone too far!!!!

2 Likes
Explorer
63 1 12

Hi @Orange-20 

 

Thank you for this information and your detailed description below. Appreciate it!

TTL CIC - - a Company limited by guarantee with charitable objectives.
1 Like
Explorer
51 0 33

Since Shopify added the captcha script to my customer account signup spam accounts have so far stopped.

Good news for me (so far) but bad news to others who have found this doesnt work.. and even removing forms doesn't work either. They talk about 'hidden forms' maybe these do exist... I'm wondering if it might be down to the theme you are using. 

If you have had the capthca added and form removed and still get spam accounts.. what is your theme?

1 Like
Explorer
63 1 12

Hi @Feemish 

Congrats for your bogus customer registration free new life! And, thank u for following the conversation and your response.

We're using Debut.

Last month suddenly our store was swamped by bots: newsletter registrations, customer registrations and blog post comments. Before that we'd had just the few.

So, we began with editing the code for the customer registration form and the contact form: with a little help from some good & kind people here on the forum we added mandatory new fields (the so-called 'honey pot strategy'). (There r some here, mind u, who will try to sell their services when a store owner feels troubled and even send private messages to get them on board!) This helped, because then u can easily tell who is and who isn't a bot: for example all the bots choose the option for 'I am not 13 or older' - which means they can not be our customers. But, it didn't stop them.

So, then we followed the instructions of some people here on the forum to install the Google reCaptcha. From the GrC dashboard I can tell that it is working, but I can not tell if there is a trick I've missed. I didn't ask Shopify to install the 2nd key to the store: this is because I'm already in conversation with them about the bug situation due to the free app I installed to get rid of the bot engagement and I'm not sure we have time or energy for two simultaneous conversations at the same time ... trying to explain etc etc ...

So GrC is sort of working on all forms (need to check if it works for the comments form, had issues adding a mandatory form field to that and no one could help - but, one person tried to get hired to fix it!), and we removed the newsletter registration form - which we think is just an invitation for trouble - and substituted a contact form with additional mandatory fields. We can do this bc we're a non-profit and it doesn't affect the flow of sales for us. And, there is a new mandatory field on the customer registration form - and some good & kind person showed us how to amend the field so we can see customer input from the customer's file: if they say they are not 13 or older, they aren't a customer - period (or, full stop, as we say here in London).

As said above, need to check the comments form for blog posts - but there weren't any bot comments yesterday, for some reason. It may be that Shopify has, out of the goodness of their heart, applied the 2nd GrC key to our store?! Who knows!?  I don't think our version of Debut has hidden forms. Given that unfortunately as time passes we're detecting sloppiness in the coding (this would be another thread), some themes or their versions may have content which do not belong there - or, being devil's advocate, are reporting to their developers? Again, who knows?! Once trust goes then it becomes more difficult to work on our store, sadly (would have another thread on 'free' apps trying to upsell, but there's work today ...).

TTL CIC - - a Company limited by guarantee with charitable objectives.
1 Like
Explorer
51 0 33

@TakTogLon 

I thought you were going to say you had a third party theme! Not a Shopify supported theme. Hhhhmmm

Might need some other store owners with the issue (and unsolved by captcha) to tell us what theme they are on to see if there is a pattern.

0 Likes
Excursionist
18 0 18

Hi all,

I am using the "Sunrise theme" and even after Shopify putting catcha onto my account creation I am still getting some Spam accounts, I did contact my theme developer who said it was how Shopify was designed was the issue and changing my account creation URL etc would not do anything.  I did contact Shopify support again and asked what if any the update was.  I was informed that they are aware of the issue and are trying to implement a fix, This I did take to be positive as normally support staff on any platform pretend this is the first time they have heard of the issue which I find very annoying.  They also had already added the captcha without informing me which I took to be a good sign.  However that said I am still exploring options regarding other platforms as I do not believe you want to be in a position where you are held captive.  I will continue to monitor this thread and see what progress is made.

1 Like
Highlighted
Excursionist
14 0 19

@Feemish - Same. I had the Captcha block added about the same time as you. I've had a couple sales (my shop isn't a busy one yet), but no fake customer accounts (that I can see). So far, so good. 

1 Like
Excursionist
20 0 10
  1. How does one person clean up their customer list now knowing that there are a mix of easy to spot fake customer accounts along with those with legit first names and last names
  2. Apps / recaptchas clearly don't work after reading this entire thread
  3. Shopify reps I've spoken to have said that shopify's api is open therefore it doesn't matter what form you remove or dont remove
  4. This brings me back to my earlier points is that the only way to nuke this issue once and for all is to block hostnames, most of which are coming from russian servers and amazonaws. We have no control whatsoever from a firewall standpoint to block these bad players and any app that says they block ip addresses is a spotty game of whack a mole that will never end.

If we don't find a resolution I'm moving my company's 4k a month spend, instead of this pitiful platform or somewhere else where we have more control and actionable support reps not the same guys and gals reading from a canned script of useless responses.

1 Like