Re: Spam/Fake Customer Accounts

How can I prevent fake customer accounts on my website?

8 0 12

Hello everyone, 


I've been trying to combat the issue of fake/spam customer accounts from being made. I am not entirely sure how they are being made, but after reading articles, and other posts on here - I sort of understand how. 


I have done everything I can to combat the issue, my reCAPTCHA is and always has been enabled and yet these accounts are somehow still able to be made. 


They are relatively all different, some you can tell the e-mails are just made up, and others can pose as legit e-mails but the names are made up. 


Has anyone been able to actually curb this from the source?! I have a form sign up set up and that is what most of my customers use, however these fake ones have one thing in common, and that is their account is labeled 'classic' 


any help, guidance, or advice is much appreciated! 


Thank you! 

Schuyler Fisk
Erie & Creek Tackle
Replies 46 (46)

Shopify Partner
10975 2150 2290

Hi @SFisk 

You can choose the version of customer accounts to use as New customer accounts in Settings > Customer accounts


Screenshot 2024-01-31 at 09.40.12.png

- Solved it? Hit Like and Accept solution or ❤️Buy Me Coffee❤️
- Reton: Loyalty & Rewards - Earn points through tasks, redeem for discounts, and enjoy exclusive VIP rewards!
- Ryviu - Reviews & QA app: Collect product reviews, import reviews from AliExpress, Amazon, Etsy, Walmart, Shopee, Dhgate and CSV.
- Lookfy Gallery: Lookbook Image: Easy and fast to create Photo Gallery, Lookbook, Shop The Look.
- Reelfy‑Shoppable Videos+Reels: Create shoppable videos to engage customers and drive more sales.
- Enjoy 1 month of Shopify for $1. Sign up now.

1 0 6

Hi Dan-From-Ryviu,


Thanks for this advice! We are also facing this issue, especially recently. We see about 10 new spam accounts created per hour. I just deleted 8,000 fake accounts last night.


I followed your advice to switch to "New customer accounts" and confirmed that the old flow is disabled, but it does not seem to have helped. Since switching the option last night, I see about 120 new accounts created, as recently as a few minutes ago.


Here are some observations:

* The accounts have a first/last name filled in

* They do not have an address (only a "default address" consisting of their name and "united states")

* They have no orders

* They are subscribed to email marketing

* Their timeline starts with "Customer was created."


I think that last point is interesting because when someone signs up through my site, it says something different: "Online Store created this customer."


Do you have any other advice we can try?


Thanks so much!


8 0 12


This is the exact same thing that I am experiencing…


“Customer was created” and “Classic Account” is the only positive way to identify these accounts without accidentally deleting an authentic customer. 

Schuyler Fisk
Erie & Creek Tackle
51 1 28

Same exact problem here. Nothing I've tried works. Re-captcha decided to stop working on the challenge page and all I see is a button without the challenge so no one can submit a form via contact or newsletter, so I had to disable it. Even with it on, they were still creating accounts without form submission. Switched to new customer accounts and that didn't work. They've found a hole that Shopify needs to close. The majority of apps available to either IP block or control spam have bad reviews and end up hurting more than they help so we're stuck in an endless loop until Shopify fixes it. 😞

10 0 3



How are you mass deleting these accounts? I am having the same problem. 


Please and thank you! 

8 0 12

Good Morning, Dan.


I switched this last night, however I woke up to 4 spam customer accounts exactly how Emlyn had replied below. 


Is there any other alternative to deter this from happening?!


Thank you!

Schuyler Fisk
Erie & Creek Tackle
51 1 28

I just switched to the new customer accounts log in and it didn't work. 3 fake accounts just came through. It seems like they've found a vulnerability within Shopify and are exploiting it. Nothing we do on our end works and if Shopify refuses to fix, we're stuck deleting thousands of fake accounts constantly.

51 1 28

Unfortunately that doesn't work. I had 8 come through in the last 10 minutes while new customer accounts was enabled. Many others are seeing the same pattern. They found a hole within Shopify and nothing we do on our end stops it. Even with reCaptcha, they still get through.

60 3 29

Same exact problem here, e.g. from this one user alone, with First Name: 123 and Last Name: 123, I have received 270 fake accounts in the last couple of daysEven though I updated the registration form to only accept letters in the first and last name fields, they still somehow managed to bypass those requirements.

I've read most of the posts here about the same issue, and I am stunned by how none of them include any public sharing of thoughts or plans from the Shopify team on how to stop this issue of API customer creation.

Screenshot 2024-02-09 at 03.47.09.png

51 1 28

Also an app isn't going to fix a backdoor vulnerability that is being exploited in Shopify. Most of us are not having these fake accounts created by any front door customer log in, newsletter or contact page because Shopify will show where those customers originated from if any of these options were used. The new fake accounts are created through other means and Shopify needs to patch it up. 

60 3 29

Also If we have to use and pay a 3rd party apps for fundamental stuff like customer Registration, then what are we paying Shopify for?
Handing our customer's info to another app just for registrations doesn't sit right.

51 1 28

Exactly this. Shopify claims to care about the privacy of our customers, yet the only option to get around the vulnerability that they caused is to use a third party app where we have no control over what they do with our customer data. Make it make sense. 

5 0 4

I'm seeing the same issue in our Shopify stores.  We use an app called "Blocky" and blocked a few countries as well as robots that we thought this may be coming from but that didn't do anything.  I think it's a script injection through a vulnerability in Shopify and has nothing to do with blocking ip's or email addresses or robots.  I just reported the issue to Shopify.  They requested screen shots but didn't have an immediate solution.

10 0 5

I have exactly the same issue with exactly the same 123 123 name. Thanks for sharing & yes, it's a real issue/shame that Shopify are not hotter on this.

1 0 1

We are facing exactly same issue. Shopify support is not able to give solution for it. 

51 1 28

I did a test on Saturday after getting daily fake account creations and it seemed to work for now. When I added the Captcha also for my login, create account and password recovery pages, I only had 1 come through on Sunday morning and zero today. I was getting 30 to 50 per day. It's the only fix that actually did something until Shopify fixes the issue. 

Shopify Partner
33 1 31

We're having the exact same problem. Hundreds of fake/spam customer accounts are being created a day. Originally, they all had the first name of "123" and last name of "123", but with seemingly-real email addresses. No other data is on the account. The Shopify timeline feed for the customer just says "customer created".


ReCaptcha is NOT a solution because these spammers are not using the front-end registration form. We don't allow customers to register directly, and there was no link to the registration page on our Shopify store anywhere when this started happening. But, since the registration page was still technically accessible if you knew the URL, we then edited the registration page template and completely removed the form. The spam customers are still being created.


@Shopify, this is a security hole that need to be fixed, please. Something like CSRF token protection on the server side (and front-end form) could probably prevent this. Whatever solution is employed, this needs a resolution because many are being negatively affected.

51 1 28

Agreed and I did similar steps that you took above, removing registration from my site and editing the code to remove "create account" link and nothing worked. When I finally went into preferences and added the captcha to the registration form, even though it's not on my front end, I have not received anymore new customers and I check daily. This is a security issue that Shopify needs to get fixed. This is 100% a back end code issue on Shopify's part. 

10 0 5

Yes, this is what we did. We don't have accounts active BUT were still receiving excess '123 123' fake accounts, most probably from a bug/bot.

We've coded out (commented) the create accounts sections & enabled Captcha (on account creation), this seems to currently be doing the trick. 

6 0 1

How did you manage to remove the Create Accounts link?


We're having a similar issue, with a few hundred fake accounts being made every day - and similar to some others here, we don't even allow regular signups so as people are saying there must be some exploit the bots are using. We'd rather not switch on reCAPTCHA as our customer base tend to be on the technically challenged side and we've had complaints when trying to use it in the past - annoyingly there doesn't seem to be any means of enabling Captcha for account creation only without also enabling it for logins.


Oddly when I edit the code to comment out (or even flat out remove) the 'Create account' link on the login page it bizarrely still persists. Even stranger, when I tried deleting the registration page entirely, the link still worked and redirected to a much simpler account creation page that I've never even seen before!


Am I doing something wrong here? Like many of you I'm absolutely baffled as to why we're suddenly getting so many fake accounts.

Shopify Partner
380 5 185

@ABSupplyCo_Mark reCAPTCHA doesn't require a "challenge" like previous versions of Google's CAPTCHA.

See Shopify's documentation or this screenshot:

Were your customers, perhaps, struggling with a previous version with challenges enabled?

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
- Strike Automatic Discounts NEW!
6 0 1

@michael-helium , we have reCAPTCHA enabled for one of our other sites - I've just tried logging in there with a test account and it's still presenting me with a challenge sadly.


Is there anything we have to do in particular to turn off the challenges? That was the main issue we were facing, as you suspect.

Shopify Partner
380 5 185

Hmm, strange. reCAPTCHA should work without challenges out of the box.
I typically only see a challenge after atypical activity, e.g. testing registration/login on a site 5-10+ times within a few minutes.

We expose a setting for reCAPTCHA sensitivity for Customer Fields app users, but it doesn't sound like that would help in your situation.

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
- Strike Automatic Discounts NEW!
10 0 5

Hi, we commented out (div > div) on main-login.liquid:

From: <div class="customer login section-{{ }}-padding">
to:  {%- endif -%} </div>

Hope this helps, cheers, AP : )

51 1 28

That's awesome. That's what finally stopped them creating accounts in my shop, haven't had anymore since. 

Shopify Partner
29 0 6

i can replicate what these bots are doing just via postman. - the shopify liquid form tag just creates an html form that posts to /account - the default form contains 4 fields


so in postman create a form that posts to your domain /account with those 4 fields, and the 2 hidden fields in from the liquid form tag and voila - a fake customer is created in your admin......captcha doesn't seem to prevent this.


hopefully there is a way to disable POST requests to /account. eh shopify?????


i guess you could do this to any shopify store out there.....


Screenshot 2024-02-22 at 11.09.15 PM.png


You can see my postman created account in amongst all the 123, 123 accounts and a few more of my postman tests (im sure you can spot em....)


Screenshot 2024-02-22 at 11.15.46 PM.png

Shopify Partner
2 0 0

Interestingly enough I just tried doing this in Postman, and it redirected me to the /challenge page as expected. But then again, I wonder if it has to do with our office IP frequently accessing Shopify? I'm curious if I tested this at home if it might let me through.

Does it just let you create accounts over and over, or does it stop you at some point?

Kyle | Front-end Developer @ Helium

Helium builds apps that merchants depend on:

- Customer Fields

- Meteor Mega Menu
Shopify Partner
380 5 185

@Kele_Nakamura - I asked our devs to look into this, and they were unable to replicate. They get redirected to the captcha challenge page, and no customer is created. 


Screenshot 2024-02-23 at 11.16.52 AM.png

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
- Strike Automatic Discounts NEW!
Shopify Partner
29 0 6

hmm i wonder if its because we don't have an actual create_customer form in our theme?  yeah i was able to create multiple back to back. I'll try again with captcha enabled, but for the customers i did create via this method it definitely had the "Customer was created" message in their timeline.

Shopify Partner
380 5 185

@Kele_Nakamura "hmm i wonder if its because we don't have an actual create_customer form in our theme?"

I wondered the same thing... let me know what you find out?

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
- Strike Automatic Discounts NEW!
Shopify Partner
29 0 6

okay so i tried it on the staging instance (separate shopify instance) and did get the challenge screen, so thats good! not sure why it doesn't kick in on prod instance though.

1 0 0

Did you or @Kele_Nakamura get any more insight into this? I was hoping to avoid having to enable reCaptcha, as I find it annoying as a user. The only solution I've come up with is to add a custom customer metafield to customers that I create or are valid, and to then check with liquid logic if the customer that logs in has this metafield defined, and if not, to display an unauthorized message, effectively preventing them from accessing my custom account page. As far as rapidly deleting customer accounts/customer files, I guess using tags on account creation, will allow me and others to filter and then mass delete fake or unauthorized accounts.  I'd probably prefer though, having control over the /account endpoint and be able to prevent unauthorized POSTS. 

Shopify Partner
29 0 6

i think the captcha started working again as we haven't seen the onslaught of fake customers as much it seems.

6 0 1

How did you manage to remove this? Whenever I try to comment out the Account Creation link it doesn't seem to go away and I'm not sure why! I've even tried removing the line of code entirely and that still doesn't get rid of it!

6 0 1

We've managed to remove the 'Create Account' link entirely, but this doesn't seem to have stopped the fake accounts at all.


Looking at the back end of the site in more detail, even when we completely remove the customer/register.liquid page, going to the Create Account page seems to load a very simple registration page that only asks for a first name, last name, email address and password. Is there any way we can remove or block this page as well, as this seems to be the one the bots are somehow using.



Shopify Partner
60 3 2

this is also happening in my store nonstop. it seems if i have captcha enabled that they don't register. but the issue is when captcha is enabled, often actual customers have trouble logging in because it does not accept their answer (even when its right). But then when i disable it so our actual customers don't have issues, then the fake accts start signing up again

Alan Richard Textiles, The Source for the Finest Home Furnishing Supplies. Distributor for Somfy Motors, Rollease, Velcro, & More!

3 0 0

We have been battling the fake accounts for over a year now without any solutions. Yesterday I removed the ability to use social logins (Google and Facebook). Those were the only ones that we had allowed from Growwave. I had about 20 stragglers come in overnight and so far I haven't had any today. 

3 0 0

This has worked for a week now but today, the fake email accounts have come back with a vengeance. I don't know how they are getting created since our website requires First and Last name to be entered and they are creating one by only using a email address. 

19 0 1

Yep this sort of thing has started happening on my site too and I'm not sure how the accounts are being created. I'm seeing random, real-sounding, names with unique emails, but the addresses are all structured the same way.  That's how I know it's the same fake accounts being created. And all of the names either sound Latin or not sure what's going on.

Shopify Partner
50 0 5

maybe using shopify app to hide your store's content from bots with bot blocker feature from kedra shield app 

1 0 0

We've been having the same problem for years.  But recently it's gotten really bad, like new fake accounts being created every minute, sometimes several per minute.  I tried Shopify support, they were useless.  I tried to add hcaptcha, that didn't work.  We putzed around with the customer accounts, that didn't work.  We tried bot and spam blockers, that didn't work.  We removed customer account signup functionality, and that didn't work.  I finally password protected the site, and that also didn't work.  Then I deleted 3 apps that we weren't using.  I wasn't scientific about it, so I didn't wait to see what happened after deleting each.  I just deleted the 3 apps and voila!, the fake user account creation stopped.  It's now been about 15 minutes, 0 fake new accounts.  Remember, we were getting 1-3 per minute.  I removed password protection from the store about 5 minutes ago, and still no new fake accounts.  I'm optimistic. 


UPDATE: Just kidding, they started up again, 5 new fake accounts.  Back to investigative mode.

Shopify Partner
89 3 36

It's really disappointing that Shopify has done nothing to help this, especially because accounts created this way are getting imported into our MailChimp mailing lists, leading to lots of spam! They've essentially turned every Shopify store into a spam bucket. 


All of our legitimate customers' Customer History starts with an entry that they were created by the Helium Customer Fields app (or one of our custom API apps):



Whereas these spam ones report that they are created through the Online Store:



I've asked Shopify Support for more details to determine how these customers are created, but to no avail. They just checked my hCaptcha settings. 😞


Shopify Partner
89 3 36

I don't seem to be able to edit my comment, but in viewing my MailChimp subscriber lists (since these customers got passed through to our MailChimp mailing lists!), it looks like the flood of 16,000+ email addresses (including variations of the same name, e.g.,, ) started being added on 2024-09-15.


Luckily, in our case, the customers can be identified in Shopify by a lack of a name and we'll set up a daily Mechanic automation to review recent new customers and delete the nameless ones. We'll have to do this manually in MailChimp every time we send out a campaign.

10 0 3



I am also experiencing this problem. How do you go about mass deleting the fake accounts? 


Please and thank you. 

Shopify Partner
89 3 36

It looks like the spam accounts stopped being created in my store 12 days ago, so hopefully Shopify finally fixed the issue that was leeting this happen.


Here's how you can bulk delete the accounts:


1. Create a customer segment that starts with the following:



customer_account_status = 'DISABLED' AND orders_placed(count_at_least: 1) = false



2. Add a few "AND customer_tags NOT CONTAINS 'tagname'" where 'tagname' is a customer tag for valid customers that were created.


3. Export the list, then open it in a spreadsheet software like MS Excel, LibreOffice Calc, or Google Sheets.


4. In the spreadsheet software, apply a filter on the "tags" column to look for potential real customers, and sort by other columns to review for other factors to use to adjust the Shopify customer filter.


5. When you're satisfied with the customer filter, save it as a segment.


6. Select all customers that show up in the filter and bulk delete them.


Repeat every couple of weeks or so.


Shopify Partner
89 3 36

Actually, I was wrong. They didn't stop, they just found a way to make the customers appear as enabled, which didn't show up in my filter. 


However, upon further research, I did find that all such spam customers have "Online Store created this customer" (which is not the case for any of my legit customers, which are created by the Customer Fields app, by an admin, or by a custom app). If you are familiar with building apps using the Shopify GraphQL API, the following query returns the customer timeline, which can then be searched for the string "Online String created this customer". I'm working on an automation using the Mechanic app to identify such customers, tag them, and then delete them.

   customer(id:"gid://shopify/Customer/<<CustID>>") {
    events(first: 100) {
      edges {
        node {
          __typename message