How can I prevent fake customer accounts on my website?

How can I prevent fake customer accounts on my website?

SFisk
Tourist
8 0 10

Hello everyone, 

 

I've been trying to combat the issue of fake/spam customer accounts from being made. I am not entirely sure how they are being made, but after reading articles, and other posts on here - I sort of understand how. 

 

I have done everything I can to combat the issue, my reCAPTCHA is and always has been enabled and yet these accounts are somehow still able to be made. 

 

They are relatively all different, some you can tell the e-mails are just made up, and others can pose as legit e-mails but the names are made up. 

 

Has anyone been able to actually curb this from the source?! I have a form sign up set up and that is what most of my customers use, however these fake ones have one thing in common, and that is their account is labeled 'classic' 

 

any help, guidance, or advice is much appreciated! 

 

Thank you! 

Schuyler Fisk
Owner/Operator
Erie & Creek Tackle
Replies 36 (36)

Dan-From-Ryviu
Shopify Partner
8467 1665 1676

Hi @SFisk 

You can choose the version of customer accounts to use as New customer accounts in Settings > Customer accounts

 

Screenshot 2024-01-31 at 09.40.12.png

- Helpful? Like and Accept solution to let me know or Buy me Coffee ❤️!
- Ryviu - Product Reviews app, collect product reviews, import reviews from AliExpress, Amazon, Etsy, Shopee and Walmart and CSV.
- Lookfy app: Easy and fast to create Photo Gallery, Lookbook, Shop The Look.
- Enjoy 1 month of Shopify for $1. Sign up now.

SolidSoaps
Visitor
1 0 4

Hi Dan-From-Ryviu,

 

Thanks for this advice! We are also facing this issue, especially recently. We see about 10 new spam accounts created per hour. I just deleted 8,000 fake accounts last night.

 

I followed your advice to switch to "New customer accounts" and confirmed that the old flow is disabled, but it does not seem to have helped. Since switching the option last night, I see about 120 new accounts created, as recently as a few minutes ago.

 

Here are some observations:

* The accounts have a first/last name filled in

* They do not have an address (only a "default address" consisting of their name and "united states")

* They have no orders

* They are subscribed to email marketing

* Their timeline starts with "Customer was created."

 

I think that last point is interesting because when someone signs up through my site, it says something different: "Online Store created this customer."

 

Do you have any other advice we can try?

 

Thanks so much!

-Emlyn

SFisk
Tourist
8 0 10

Yes! 

This is the exact same thing that I am experiencing…

 

“Customer was created” and “Classic Account” is the only positive way to identify these accounts without accidentally deleting an authentic customer. 

Schuyler Fisk
Owner/Operator
Erie & Creek Tackle
Lychee88
Explorer
51 1 21

Same exact problem here. Nothing I've tried works. Re-captcha decided to stop working on the challenge page and all I see is a button without the challenge so no one can submit a form via contact or newsletter, so I had to disable it. Even with it on, they were still creating accounts without form submission. Switched to new customer accounts and that didn't work. They've found a hole that Shopify needs to close. The majority of apps available to either IP block or control spam have bad reviews and end up hurting more than they help so we're stuck in an endless loop until Shopify fixes it. 😞

SFisk
Tourist
8 0 10

Good Morning, Dan.

 

I switched this last night, however I woke up to 4 spam customer accounts exactly how Emlyn had replied below. 

 

Is there any other alternative to deter this from happening?!

 

Thank you!

Schuyler Fisk
Owner/Operator
Erie & Creek Tackle
Lychee88
Explorer
51 1 21

I just switched to the new customer accounts log in and it didn't work. 3 fake accounts just came through. It seems like they've found a vulnerability within Shopify and are exploiting it. Nothing we do on our end works and if Shopify refuses to fix, we're stuck deleting thousands of fake accounts constantly.

Lychee88
Explorer
51 1 21

Unfortunately that doesn't work. I had 8 come through in the last 10 minutes while new customer accounts was enabled. Many others are seeing the same pattern. They found a hole within Shopify and nothing we do on our end stops it. Even with reCaptcha, they still get through.

Ram_A
Explorer
60 3 21

Same exact problem here, e.g. from this one user alone, with First Name: 123 and Last Name: 123, I have received 270 fake accounts in the last couple of daysEven though I updated the registration form to only accept letters in the first and last name fields, they still somehow managed to bypass those requirements.

I've read most of the posts here about the same issue, and I am stunned by how none of them include any public sharing of thoughts or plans from the Shopify team on how to stop this issue of API customer creation.

Screenshot 2024-02-09 at 03.47.09.png

Lychee88
Explorer
51 1 21

Also an app isn't going to fix a backdoor vulnerability that is being exploited in Shopify. Most of us are not having these fake accounts created by any front door customer log in, newsletter or contact page because Shopify will show where those customers originated from if any of these options were used. The new fake accounts are created through other means and Shopify needs to patch it up. 

Ram_A
Explorer
60 3 21

Also If we have to use and pay a 3rd party apps for fundamental stuff like customer Registration, then what are we paying Shopify for?
Handing our customer's info to another app just for registrations doesn't sit right.

Lychee88
Explorer
51 1 21

Exactly this. Shopify claims to care about the privacy of our customers, yet the only option to get around the vulnerability that they caused is to use a third party app where we have no control over what they do with our customer data. Make it make sense. 

direct007
Tourist
5 0 3

I'm seeing the same issue in our Shopify stores.  We use an app called "Blocky" and blocked a few countries as well as robots that we thought this may be coming from but that didn't do anything.  I think it's a script injection through a vulnerability in Shopify and has nothing to do with blocking ip's or email addresses or robots.  I just reported the issue to Shopify.  They requested screen shots but didn't have an immediate solution.

AlexCPerky
Excursionist
10 0 3

I have exactly the same issue with exactly the same 123 123 name. Thanks for sharing & yes, it's a real issue/shame that Shopify are not hotter on this.

NorthHair
Visitor
1 0 0

We are facing exactly same issue. Shopify support is not able to give solution for it. 

Lychee88
Explorer
51 1 21

I did a test on Saturday after getting daily fake account creations and it seemed to work for now. When I added the Captcha also for my login, create account and password recovery pages, I only had 1 come through on Sunday morning and zero today. I was getting 30 to 50 per day. It's the only fix that actually did something until Shopify fixes the issue. 

aveshopstech
Shopify Partner
33 1 28

We're having the exact same problem. Hundreds of fake/spam customer accounts are being created a day. Originally, they all had the first name of "123" and last name of "123", but with seemingly-real email addresses. No other data is on the account. The Shopify timeline feed for the customer just says "customer created".

 

ReCaptcha is NOT a solution because these spammers are not using the front-end registration form. We don't allow customers to register directly, and there was no link to the registration page on our Shopify store anywhere when this started happening. But, since the registration page was still technically accessible if you knew the URL, we then edited the registration page template and completely removed the form. The spam customers are still being created.

 

@Shopify, this is a security hole that need to be fixed, please. Something like CSRF token protection on the server side (and front-end form) could probably prevent this. Whatever solution is employed, this needs a resolution because many are being negatively affected.

Lychee88
Explorer
51 1 21

Agreed and I did similar steps that you took above, removing registration from my site and editing the code to remove "create account" link and nothing worked. When I finally went into preferences and added the captcha to the registration form, even though it's not on my front end, I have not received anymore new customers and I check daily. This is a security issue that Shopify needs to get fixed. This is 100% a back end code issue on Shopify's part. 

AlexCPerky
Excursionist
10 0 3

Yes, this is what we did. We don't have accounts active BUT were still receiving excess '123 123' fake accounts, most probably from a bug/bot.

We've coded out (commented) the create accounts sections & enabled Captcha (on account creation), this seems to currently be doing the trick. 

ABSupplyCo_Mark
Tourist
6 0 1

How did you manage to remove the Create Accounts link?

 

We're having a similar issue, with a few hundred fake accounts being made every day - and similar to some others here, we don't even allow regular signups so as people are saying there must be some exploit the bots are using. We'd rather not switch on reCAPTCHA as our customer base tend to be on the technically challenged side and we've had complaints when trying to use it in the past - annoyingly there doesn't seem to be any means of enabling Captcha for account creation only without also enabling it for logins.

 

Oddly when I edit the code to comment out (or even flat out remove) the 'Create account' link on the login page it bizarrely still persists. Even stranger, when I tried deleting the registration page entirely, the link still worked and redirected to a much simpler account creation page that I've never even seen before!

 

Am I doing something wrong here? Like many of you I'm absolutely baffled as to why we're suddenly getting so many fake accounts.

michael-helium
Shopify Partner
367 5 180

@ABSupplyCo_Mark reCAPTCHA doesn't require a "challenge" like previous versions of Google's CAPTCHA.

See Shopify's documentation or this screenshot: https://share.heliumdev.com/YEuJkNPk

Were your customers, perhaps, struggling with a previous version with challenges enabled?

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
ABSupplyCo_Mark
Tourist
6 0 1

@michael-helium , we have reCAPTCHA enabled for one of our other sites - I've just tried logging in there with a test account and it's still presenting me with a challenge sadly.

 

Is there anything we have to do in particular to turn off the challenges? That was the main issue we were facing, as you suspect.

michael-helium
Shopify Partner
367 5 180

Hmm, strange. reCAPTCHA should work without challenges out of the box.
I typically only see a challenge after atypical activity, e.g. testing registration/login on a site 5-10+ times within a few minutes.

We expose a setting for reCAPTCHA sensitivity for Customer Fields app users, but it doesn't sound like that would help in your situation.

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
AlexCPerky
Excursionist
10 0 3

Hi, we commented out (div > div) on main-login.liquid:

From: <div class="customer login section-{{ section.id }}-padding">
to:  {%- endif -%} </div>

Hope this helps, cheers, AP : )

Lychee88
Explorer
51 1 21

That's awesome. That's what finally stopped them creating accounts in my shop, haven't had anymore since. 

Kele_Nakamura
Shopify Partner
24 0 5

i can replicate what these bots are doing just via postman.

 

https://shopify.dev/docs/api/liquid/tags/form#form-create_customer - the shopify liquid form tag just creates an html form that posts to /account

 

https://shopify.dev/docs/themes/architecture/templates/customers-register#content - the default form contains 4 fields

 

so in postman create a form that posts to your domain /account with those 4 fields, and the 2 hidden fields in from the liquid form tag and voila - a fake customer is created in your admin......captcha doesn't seem to prevent this.

 

hopefully there is a way to disable POST requests to /account. eh shopify?????

 

i guess you could do this to any shopify store out there.....

 

Screenshot 2024-02-22 at 11.09.15 PM.png

 

You can see my postman created account in amongst all the 123, 123 accounts and a few more of my postman tests (im sure you can spot em....)

 

Screenshot 2024-02-22 at 11.15.46 PM.png

kyle-helium
Shopify Partner
2 0 0

Interestingly enough I just tried doing this in Postman, and it redirected me to the /challenge page as expected. But then again, I wonder if it has to do with our office IP frequently accessing Shopify? I'm curious if I tested this at home if it might let me through.

Does it just let you create accounts over and over, or does it stop you at some point?

Kyle | Front-end Developer @ Helium

Helium builds apps that merchants depend on:

- Customer Fields

- Meteor Mega Menu
michael-helium
Shopify Partner
367 5 180

@Kele_Nakamura - I asked our devs to look into this, and they were unable to replicate. They get redirected to the captcha challenge page, and no customer is created. 

 

Screenshot 2024-02-23 at 11.16.52 AM.png

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
Kele_Nakamura
Shopify Partner
24 0 5

hmm i wonder if its because we don't have an actual create_customer form in our theme?  yeah i was able to create multiple back to back. I'll try again with captcha enabled, but for the customers i did create via this method it definitely had the "Customer was created" message in their timeline.

michael-helium
Shopify Partner
367 5 180

@Kele_Nakamura "hmm i wonder if its because we don't have an actual create_customer form in our theme?"

I wondered the same thing... let me know what you find out?

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
Kele_Nakamura
Shopify Partner
24 0 5

okay so i tried it on the staging instance (separate shopify instance) and did get the challenge screen, so thats good! not sure why it doesn't kick in on prod instance though.

ABSupplyCo_Mark
Tourist
6 0 1

How did you manage to remove this? Whenever I try to comment out the Account Creation link it doesn't seem to go away and I'm not sure why! I've even tried removing the line of code entirely and that still doesn't get rid of it!

ABSupplyCo_Mark
Tourist
6 0 1

We've managed to remove the 'Create Account' link entirely, but this doesn't seem to have stopped the fake accounts at all.

 

Looking at the back end of the site in more detail, even when we completely remove the customer/register.liquid page, going to the Create Account page seems to load a very simple registration page that only asks for a first name, last name, email address and password. Is there any way we can remove or block this page as well, as this seems to be the one the bots are somehow using.

 

Screenshot_5a.png

alanrichardtex
Excursionist
44 3 2

this is also happening in my store nonstop. it seems if i have captcha enabled that they don't register. but the issue is when captcha is enabled, often actual customers have trouble logging in because it does not accept their answer (even when its right). But then when i disable it so our actual customers don't have issues, then the fake accts start signing up again

pibblelove
Visitor
3 0 0

We have been battling the fake accounts for over a year now without any solutions. Yesterday I removed the ability to use social logins (Google and Facebook). Those were the only ones that we had allowed from Growwave. I had about 20 stragglers come in overnight and so far I haven't had any today. 

pibblelove
Visitor
3 0 0

This has worked for a week now but today, the fake email accounts have come back with a vengeance. I don't know how they are getting created since our website requires First and Last name to be entered and they are creating one by only using a email address. 

fedgery77
Tourist
7 0 1

Yep this sort of thing has started happening on my site too and I'm not sure how the accounts are being created. I'm seeing random, real-sounding, names with unique emails, but the addresses are all structured the same way.  That's how I know it's the same fake accounts being created. And all of the names either sound Latin or Italian...maybe...so not sure what's going on.