Re: Auto Customer Accounts Created for Fake or Bot Accounts

Auto Customer Accounts Created for Fake or Bot Accounts

khoff
Shopify Partner
48 0 43

New to Shopify and have never had an issue like this in 20+ years of working on other commerce sites. I am seeing a rash of new accounts being created in Shopify which in turn are being created in our ERP and in Klaviyo.  All of these accounts have gibberish names (usually first and last names the same) and a junk email account from gmail.

 

I am getting anywhere from 5-50 of these each day. This is definitely a Shopify only issue as I manage a few other ecomm stores on other platforms and I do not see this happening on those. It also appears to be an old issue that Shopify has yet to do anything about and spam filter apps don't seem to work either without additional costly charges and don't address account creation.

 

Is there anyway to keep these fake accounts from being created in the first place?  Why does Shopify create accounts for customers when they aren't even customers. An account should only be created when a person actually places an order. Is there any way to make it so accounts are only created when someone actually buys something?

 

With the growing number of fake accounts in our Shopify store being pushed out to other services that charge by the number of contacts/customers this will become a VERY costly problem.

 

fake-shopify-accounts-1.jpgfake-shopify-accounts-2.jpgfake-shopify-accounts-3.jpg

Replies 21 (21)

Jeska
Visitor
1 0 2

The community interface here won't let me see comments, only this REPLY button.

Anyhow,  I woke up to this issue today as well. The only change we made to our site was that we added a GDPR app for cookie consent. Coincidence?


MaryKSRSC
Visitor
3 0 2

We are having the same problem, except that hundreds of accounts are being added each day. We've been dialoguing with Shopify Support all week with no helpful answer. They are recommending Shop Protector, Fraud Filter, NoFraud Fraud Protection, Flow, Spam Protection No Captcha... none of these are working. The accounts all have lowercase first and last names, and the same name is entered in the 2 top address fields. 

Added by the 100s per day@1080x-100.jpgFake Customer Accounts@1080x-100.jpg

We've confirmed that our Captcha is on, 2FA is activated, and we've even deactivated the newsletter sign-on for a time to see if that would stop the new accounts from being added. It has not. We are totally unable to send newsletters at this time.
We are waiting for a Shopify Expert called Apolomultimedia to send us a bid on how to solve the issue. 

ponix
Excursionist
16 0 21

I am having the same problem.

It is acting like a virus since it must be happening through points that are not even activated.

Shopify should be addressing this directly, not fixing it at a price through a "Shopify Expert" for a problem that appears to be an attack through their back end.

will-winespark
Visitor
1 0 1

Hi @khoff -- were you ever able to diagnose where/how these customers were being created (maybe an unsecure API endpoint) or lock it down? We have just started seeing the same behaviour on our side

baitcagekit
Tourist
5 1 6

In our case, we found the gateway to fake Shopify customer account generation was through our Customer Login portal. There is an option to "Create account" as indicated by the arrow:

baitcagekit_1-1691015354897.png

Since our customer accounts are only created when a customer places an order, we removed this link by simply deleting a line of code in the customers/login.liquid template:

baitcagekit_2-1691015456069.png

First, we created a duplicate copy of our Online store theme. Then we removed the line of code circled below and saved the file:

baitcagekit_6-1691016809513.png

Resulting in removal of the "Create account" link and no more fake customer accounts.

baitcagekit_4-1691015614127.png

 

 

 

wingnutz
Tourist
7 0 3

We correlated web traffic with fake sign-ups.  We could not find a correlation with bots or anyone on the site.  Changing the page to address the issue might work. 

 

I am trying to find a correlation between web traffic and fake sign-ups, and I cannot.  To block fake sign-ups without web traffic might address the issue without solving the problem.

 

The problem could be a hacked APP that we installed on the store.

 

Noting what others have seen, there may be more than one hacked APP.  

 

Hacking an AP? How?  Somehow, an AP Makers code repository gets an extra 50 lines of code that installs fake accounts.  We upload the hacked AP and it starts working after a random period.

 

Happy to compare apps installed offline as I want to avoid putting any names of solid apps into a forum.

 

Select customer
digitus digitus SuccessSubscribed

United States

0 orders

$0.00

Select customer
Dustinaduby Dustinaduby SuccessSubscribed

United States

0 orders

$0.00

Select customer
WilliamKeype WilliamKeype SuccessSubscribed

United States

0 orders

$0.00

Select customer
MichaelVic MichaelVic SuccessSubscribed

United States

0 orders

$0.00

Select customer
LouisCoame LouisCoame SuccessSubscribed

United States

0 orders

$0.00

Select customer
Evafhe Evafhe SuccessSubscribed

United States

0 orders

$0.00

Select customer
JamesDoola JamesDoola SuccessSubscribed

United States

0 orders

$0.00

adfuel
Excursionist
19 0 12

We've been battling this problem for a while and it was mostly just an annoyance, but I noticed today that my spam complaint rate had risen from basically zero to 5% on my welcome flow.  Turns out all these emails are getting marked as spam almost right away.

Screenshot 2023-10-09 at 7.28.04 PM.png

fr3eze
Tourist
8 0 12

Exactly my case right now. They seem to destroy our domain reputation as their mission. This is also how I noticed the issue: customer say my mails goes to spam -> Google Postmaster Tools shows spiked spam rate -> Klaviyo show high spam rate from welcome flow. All started since Sep 2023.

adfuel
Excursionist
19 0 12

Exactly.  Here's my spam rate. Screenshot 2023-10-20 at 4.06.36 PM.png

adfuel
Excursionist
19 0 12

Just a shot in the dark, but did you happen to install the Swift SEO App on your store?
https://apps.shopify.com/swift

 

No idea if it's related, but I installed it, since removed, at the same time as the bots came after me.

khoff
Shopify Partner
48 0 43
I did not have the Swift SEO installed. Trying to keep apps to a minimum. Don't need the site to slow down on me.

PatLaf47
Tourist
3 0 1

Did it and didn't prevent from fake client to be created.

Ram_A
Explorer
60 3 26

We're facing the same issue. Regarding reCAPTCHA, it should only be applied during the new account creation process to combat spam, and not during the login process. This is because returning customers should not have to go through the reCAPTCHA, this is the least thing Shopify team can do to help!


Ram_A
Explorer
60 3 26

I don't know how they manage to bypass some requirements on my custom registration form. I even deleted these two sections, thinking they might be using them:
'email-signup-banner.liquid'
and 'newsletter.liquid'
Unfortunately, it didn't help. I still somehow get account spam created every day, bypassing my custom account creation form requirements.

Ram_A
Explorer
60 3 26

Shopify Team, any insight!! Just today my store was flooded with > 100 fake accounts.

We badly need an option in the reCAPTCHA, to be applied only on the new account creation process to combat spam, and not during the login process. This is because returning customers should not have to go through the reCAPTCHA

edoram123
Tourist
3 1 5

+1 to this issue. Exactly the same. I have switched on recaptcha for the account sign up, though the setting also includes recaptcha for logging in. This hurdle will now affect our existing and real customers. 

Shopify - please can you break down this setting so we can toggle recaptcha on separately for both account creation and login. 

 

edoram123_0-1706295079860.png

 

Grant_Harrison
Shopify Partner
8 0 8

I've spent hours manually removing bot accounts from multiple Shopify stores, and have confirmed that the bots are attacking the /registration form pages of Shopify themes.

If you have activated all Google Recaptcha in preferences and you're still seeing bot account creation, then the only solution to prevent this is to remove the registration form scripts from your theme's registration pages, not just links from the login page.

To do this you need an alternative account registration from. I'm using Helium Customer Fields App which can be set up to build a customer account registration form that syncs with Shopify customer fields. It also has SPAM prevention options built into it. There may be other similar apps out there but i was already using Helium for registration forms.


Once you set up your new customer form using the App and tested that it works, back up a copy of your current themes customers/register.liquid file, then remove all the code between the lines:

 

{% form 'create_customer' %}
<!--- REMOVE ALL THIS CODE --->
{% endform %}

 

This basically removes Shopify's account creation form fields (preventing bots registering accounts).

Helium Customer Fields App takes over as the account registration form and syncs the customer data with Shopify. I have tested this mod for the past 2 weeks and haven't seen a single new bot account created.

 

 

Ram_A
Explorer
60 3 26

Thanks for sharing this.

 

tbh, Security should be a given, not something we add. If we're using 3rd party apps for fundamental stuff like Registration Form, then what are we paying Shopify for?

 

Handing our customer's info to another app just for registrations doesn't sit right. Especially when Shopify's busy with less important updates like new colors and variants.

 

Shopify should at least give us the choice to make reCAPTCHA for account creation only, without affecting the returning customers’ login process. It’s a small fix but could make a big difference.

 

Despite talking to Shopify support and them acknowledging the issue, it feels like we're stuck without real solutions for years!

Lychee88
Explorer
51 1 24

100% agree.  As I removed over 2k accounts I noticed they started in the middle of 2023 and not prior which means something within Shopify's back end changed that caused this issue. What's the point in paying Shopify for a storefront if they can't patch up basic vulnerabilities they caused? 

Shopfer
Visitor
2 0 0

Same here!
We already have an alternative register form and it took us a while to understand where the spam entries were coming from. We suspected the original form.../account/register just because this is a well known standard url. So we killed the section including the lines {% form ... {% endform %}, similar to what you did.
Fake accounts are still being created!!
I guess the spam bot addresses the form action ("/account") directly and does not need the form itself.

No idea what to do now ...

apps-developer
Shopify Partner
50 0 3

try one of those anti bot shopify apps. there are plenty that have bot block or vpn block so it would filter our bots. for example: https://apps.shopify.com/kedra-shield-website-security