Re: HELP! Unidentified person added as owner

How to handle unknown person added as website owner on Google Search Console?

JJL
Excursionist
37 0 28

I received this email from Google this morning:

New owner for https://ftp.(my domain name)
To owner of (my domain name),
Google has identified that (an email address) has been added as an owner of https://ftp.(my domain name)
Property owners can change critical settings that affect how Google Search interacts with your site. Ensure that only appropriate people have owner status, and that this role is revoked when it is no longer needed.
 
The domain name is the same as mine but with ftp. in front of it. I've checked in Google Search Console and this person has not been added as an owner on my domain name. When I go to the https://ftp.(my domain name) it takes me to a shop with one item on it (possibly a shopify store).
 
I know this not strictly a Shopify topic but I'm hoping someone might be able to help. Is this something I need to worry about. Is there anything I should do? Does ftp. in front of a domain name mean anything?
 
Thanks,
Jason.
Replies 36 (36)
JJL
Excursionist
37 0 28

Thank you Ryan, I've done that.

Does anyone know what the ftp. prefix is? Do  I own that? Should I be worried that I am being hacked?

JJL
Excursionist
37 0 28

Yes, I still have access. How do I remove them?

JJL
Excursionist
37 0 28

Thank you for all your help so far, Ryan.

I have just found the rogue owner of the ftp. address in google console. I have removed them but it says that they can just add themselves back again unless I remove a html tag from my homepage. Do you have any idea of how I would find this? How did they gain access in the first place?

JJL
Excursionist
37 0 28

I am the owner of the store and there are no staff members. I've checked in Shopify admin and no one else has been added. I've had no emails from Shopify to say that I've had a log in from an unknown device.

I do not have a Partner Dashboard account.

The only thing I've had is the email from Google Search Console saying that an email address (which is unknown to me) has added themselves as an owner of the domain name ftp.(my domain name).

I don't appear to have been hacked but a shopify store does exist at ftp.(my domain name), which I have reported to shopify.

Thanks.

JJL
Excursionist
37 0 28

Yes, I did get an email from google with the No.2 I do not recognize. I went to search console and there is no record of any other user/owner being added.

The problem is that it is not my domain name, it is my domain name with ftp. in front of it. Google seems to think that it is a problem. I'm still not completely sure what the ftp. means!! Do I own the ftp. prefix domain name?

realityfade
Visitor
2 0 2

Any luck with this? I just woke up to the same problem. No owners except me in the list yet I got 2 of these emails. 

 

''New owner for https / mail dot mydomainname dot com / password

To owner of mydomainname,

Google has identified that xxx has been added as an owner of https / mail dot mydomainname dot com / password

Property owners can change critical settings that affect how Google Search interacts with your site. Ensure that only appropriate people have owner status, and that this role is revoked when it is no longer needed.''

JJL
Excursionist
37 0 28

Sorry this is happening to you too.

 

When you go into Google Search Console, is that subdomain listed or is it only your root domain that you can see? If it's not listed then click on 'ADD PROPERTY' and add the exact subdomain. Once you have done this you will be able to choose that subdomain, click on SETTINGS and then click USERS & PERMISSIONS, you will then see the offending 'owner' and be able to remove them (as the owner of the root domain you have control).

 

This will leave a 'LEFTOVER OWNERSHIP TOKEN' which you can only delete if you have access to the code on their store, which of course, you do not. So they could potentially add themselves back as an owner.

 

If you are not using the subdomain then go into the DNS settings where your domain is registered (mine is Godaddy), find the CNAME file associated with the subdomain and delete it. This will take their store down. If you're not sure what effect this will have on your own sites then make a note of the details so that can add it back in again if you need to. I'm guessing you're not using it and that's why it's been hijacked.

 

I've spoken to a few different people on other forums who have experienced the same thing. Is yours going to an Indonesian gambling site too?

 

I'm wondering if Shopify is allowing people free trials using any subdomain without checking authorisation. Make sure you contact Shopify about this so that they are fully aware of the problems they are causing.

 

All the best.

 

 

realityfade
Visitor
2 0 2

Thank you just did all that hope it helps. Cheers!

Jsonting
Tourist
3 0 0

This just happened to me too! And yes it's going into a gambling site called Serba88. 

How did they add themselves into my domain without my consent? Apparently they did it via HTML Tag, and now i can't remove their ownership! 
This is really frustrating and Shopify said it's not their problem but GoDaddy..

JJL
Excursionist
37 0 28

I've been talking to people on the Shopify forum and on the Google Search Central Community and there are lots of us having the same problem. It seems to be with people using Godaddy and Shopify and it's when you have an unused DNS file in Godaddy (such as ftp.), malicious users can then create a subdomain of your domain name with this file.

 

I don't think it's a Godaddy problem, I do not think my Godaddy account was compromised in any way. The problem seems to be that Shopify are allowing malicious users to set up stores using subdomains without any authorisation from the root domain holder.

 

Have you deleted the DNS file from Godaddy? This will remove the page that the subdomain is pointing to.

 

 

sthr
Shopify Partner
6 0 2

Hi, I'm following your trail from GSC Community.

It happened to me as well, based on your info and my own rough research it seems they're exploiting unused sub domain & shopify store? I still don't know how they gained access and shopify support isn't helpful at all.

 

Thanks for bringing this up!

Alice14
Excursionist
15 0 15

I am having the same problem with my site, but after deleting the DNS entry relating to FTP two days ago (and removing the unauthorized user from Google Search Console), the Indonesian gambling page is still up. I looked at their page's source code and the Indonesians are using a Shopify storefront xxx.myshopify.com that somehow points to a subdomain of my site. For example, my shop's URL is https://www.MYSHOP.com and the Indonesian set up their gambling page at https://MYSHOP.com 

 

I reported the Indonesian Shopify store to Shopify yesterday, and I was told they will escalate the issue to the relevant department. 

 

Can anyone help with how to get the gambling page taken down? I have contacted Godaddy and Shopify. Godaddy just tells me to report my own site to their team investigating scams, etc.  -- which is totally not helpful, as I don't want my own legitimate site taken down! Shopify had me update my DNS entries, change my passwords and said they will look into the Indonesian Shopify store (who knows when?).

JJL
Excursionist
37 0 28

Hi Alice14, sorry to hear that this is happening to you too. Scary isn't it?

 

As the Indonesian gambling site didn't use your ftp subdomain (ftp.yourshop.com) then removing your ftp file from your DNS records will not do anything. It's still a good thing that you've deleted it as you do not need it for a shopify store and it stops it being hijacked by anyone.

 

Is your own shopify store still up and running? Did you only have https://www.yourshop.com  pointing at your store and not https://yourshop.com? Both of those belong to you and you should really have both pointing to your store. I don't really know enough about this to advise you properly but if you go to your Shopify dashboard and then go to SETTINGS and then DOMAINS you should see what domains you have pointing to your store (I have MYSTORE.co.uk as a primary and www.MYSTORE.co.uk  as a redirect to my shopify store).

 

The next bit I'm not too sure about, hopefully someone else might jump in and advise, if you make sure both of those are directed to your store then they will no longer point to the gambling site and it will disappear. Hopefully that makes sense.

 

My partner started a thread about this in the Google Search Console forum which you can find in the link below, there's a person there that is being really helpful and if you post on that thread then they might be able to help further:

https://support.google.com/webmasters/thread/257728643/unknown-person-added-themselves-as-owner-of-my-domain-in-search-console?

 

Best of luck with it.

 

Alice14
Excursionist
15 0 15

Hi JJL -- thank you for your kind advice. Your tip concerning having the Domain Setting in Shopify pointing to both www.MYSHOP.com as well as MYSHOP.com is key to unlocking the whole fiasco for me. I only had www.MYSHOP.com and MYSHOP.myshopify.com listed. I think that's how the Indonesian hijacker exploited my URL. They added MYSHOP.com as a property on Google Search Console and had themselves verified as owner by adding the Google owner HTML code to their Shopify store page ... then they added MYSHOP.com to their Shopify Domain setting, thereby stealing my URL for their nefarious purposes. So in my situation, it had nothing to do with my Godaddy DNS settings, but everything to do with Shopify allowing these hijackers to use a version of another Shopify store's URL without permission.  Who knew removing the WWW. in front of the store name creates such a security risk? For an average person without a computer programming background like myself, this has certainly been an eye-opening experience.

 

So for everyone reading this, please double check your Domains under your Shopify setting, and make sure you have both versions of your URL (with and without www) included. Set one as primary and have the others redirect to your primary within Shopify's Domain settings!

 

And look at the source code on the Indonesian gambling page. If you see their Shopify store name in the source code like I did, contact Shopify and let them know. Shopify did take down the Indonesian store in my case, after I let them know which store to take down.

JJL
Excursionist
37 0 28

Hi Alice14, that's great news, glad you managed to get it sorted out.

Alice14
Excursionist
15 0 15

Hi JJL -- I do worry that I've overlooked something though. Because when you link a domain on Shopify, Shopify asks you to add a TXT DNS entry to verify that you own the domain. So how was the Indonesian hijacker able to link https://MYSHOP.com to their Shopify store without my knowledge or permission? I am sure they don't have access to my GoDaddy account, because I don't see another Shopify TXT entry.  Now that I have deleted the FTP DNS entry and taken control of the https://MYSHOP.com property, are there still more ways for a hijacker to create a subdomain on my site?

JJL
Excursionist
37 0 28

Hi Alice14, I don't think they do have access to our Godaddy accounts (I hope!). Finding the unused subdomains doesn't seem to be difficult, I saw that there are even youtube videos showing people how to do it!! I don't know the details but it doesn't seem to need access to accounts to do it. The finer details of how they point the subdomain to their Shopify store I just don't know. I'm hoping that deleting the DNS entry for the subdomain puts an end to it. 

foggydogs
Visitor
1 0 0

Also jumping on this thread to share that I just received a notification from GSC that another owner had been added with an unknown email address, but also with no subdomain. When I go to www.mysite.com and mysite.com, it's all still pointing to my Shopify store. And the "new owner" isn't actually listed anywhere in my GSC users. I did have an unused token for an email address I'm familiar with, so I deleted that. But I can't figure out exactly what the implications are of my situation, as I'm not seeing any changes to my store.

 

I use Namecheap, is it possible that Shopify or Namecheap interceded and kept the bad actor for snaking a subdomain? Or my domain entirely?

fcbeautyco
Tourist
10 0 2
After looking into this further, I've come to realize that the issue lies with Shopify. Specifically, there seems to be a problem related to their mysite.com/vendor list. If you haven't disabled this feature, third parties can redirect your website traffic to their own page. In my case, a casino appeared as https://www.mysite.com/vendor/casino88, and all their products were displayed from there. If you don't utilize Vendors to showcase your products, I highly recommend disavowing any links that begin with https://www.mysite.com/vendor/ in the Google Search Console.
halfshy
Visitor
1 0 0

Adding my name to this forum, same thing happening to me - though instead of Godaddy, my domain is hosted with Google - which is now making the switch over to Squarespace. It appears to be a little tricker to try and delete the ftp portion but I'm working through the steps now. I've contacted Shopify as well to let them know it happened - they said to contact google/squarespace. 

fcbeautyco
Tourist
10 0 2

The same thing has happened to me! I have been passed around from GoDaddy to HostGator to Shopify, with all of them telling me that everything looks correct on their end, when clearly it is not. Would loved to know if you found a solution. Ive been reading forums and someone said cloudfare has been compromised?

JJL
Excursionist
37 0 28

Hello Fcbeautyco,

 

The solution for me was to delete the ftp subdomain DNS file in Godaddy which the malicious site was using; this took down their store. I still don't really know how it happened but I do not think my security was breached on Shopify or Godaddy. It seems that the hackers found a way to utilise a weakness in the system which allowed them to find unused subdomains and open Shopify stores without authorisation from the domain owner.

 

If the fault lies anywhere, then I think it is in us for not cleaning up unused DNS files and Shopify for allowing people to open stores using an unauthorised subdomain.

fcbeautyco
Tourist
10 0 2
The weirdest thing is- I’ve contacted GoDaddy, and Hostgator and looked at the DNS records. The hijackers have taken my cpanel.mysite.com AND my FTP.mysite.com<> and both Host Gator, GoDaddy and Shopify have absolutely no records of these sites but clearly they exist. I've looked over the dns settings myself and it's not there.

It's as if there is an injected code that is making these sites? I looked into it on Google Search Console and I was able to view their verification process as a code.


sthr
Shopify Partner
6 0 2

Do they gained access from html-tag verification as well? Mine did that, I remove them immediately. Indeed, it's some kind of automated script injected to html DOM or something.

fcbeautyco
Tourist
10 0 2
So I've been digging deep into my code to spot anything off with help from the web AND I THINK I spotted the code that was injected!


>From the web " The part that stands out and might raise questions is the script towards the end that uses document.open() and document.write() based on certain conditions, checking the user agent string for specific values before deciding what content to write to the document.

This script looks like it's trying to serve different content based on the visitor's browser or possibly trying to detect certain bots or crawlers (Chrome-Lighthouse, X11, GTmetrix are mentioned, which are related to browser identification and website performance testing). The intent seems to be to conditionally load different content or resources based on whether the visitor is perceived as a normal user versus a bot or using a specific tool. This can be a legitimate practice for optimizing user experience or protecting content.

However, using document.write() can be concerning for several reasons:

* Performance: It can negatively affect the loading performance of your webpage, especially if used incorrectly.
Security: If not properly sanitized, dynamically writing content to your page can potentially introduce cross-site scripting (XSS) vulnerabilities. The document.write here is controlled and does not directly insert user input, which mitigates immediate concerns, but the practice itself can be risky if the context or implementation changes."

I'm deleting it now I will let you know what happens!

sthr
Shopify Partner
6 0 2

lmk how it goes!

Also, would you mind DM me the shadow gambling store that points to your url?

In my case it was unused shopify store, I immediately deleted it and didn't get the chance to check the IP addr, I should've checked it first. Now, I'm still left wondering how they got it in the first place. Possibiliities: unused google analyttics verification and (not sure) since google domain my client was using is sold to squarespace, probably there's some vulnerability somewhere. 

Erick_C
Tourist
10 0 4

I got this today too. I initially did not see new users or owners, but then tried adding that EXACT ftp url in the Google Search Console (e.g. https:// ftp. my-web-site. com).

 

It then revealed the owners and files that had permission. I revoked the access. I have no idea how this happened.

 

The first email was a gmail account and the next said iam.gserviceaccount

JJL
Excursionist
37 0 28

Sorry to hear this happened to you too. Out of interest, where did they point your hijacked subdomains to, was it an Indonesian gambling site too? I have a theory that they are hijacking subdomains so that their IP address is showing as not in Indonesia, as gambling is illegal there.

Erick_C
Tourist
10 0 4

Seems to be slots

favicon =
faviconV2.jpg

 

amp.JPG

 

index.JPG

  

Antoes
Visitor
1 0 0

This same issue happened to us over the weekend. There were no CNAME or A records so we ended up logging into our domain registrar and forwarding ftp.oursite.com to our main site. Any official update form the Shopify team?

 

JJL
Excursionist
37 0 28

I haven't had any more updates from Shopify. I had a ticket open and was in conversation with one of their team about it; their last reply to me said that they were forwarding the matter to the relevant teams and that they were unable to interfere with Shopify accounts. When I tried to reply I found that they had closed the ticket! Have you contacted Shopify? It's good if more people contact them about it so they know how prolific this is. 

TR_Page
Shopify Partner
17 1 6

Had this happen with a merchant recently as well. Not surprising, but was GoDaddy - which seems to be a common link here.

 

Would recommend you update all passwords for access to GoDaddy and make sure you've got multi-factor authentication setup as well. Don't use SMS/text as option whenever possible and use an authentication app instead (1Password is great for paid tool, Bitwarden good free open source alternative for password managers).

 

For other folks facing this problem, you'll have records within GoDaddy that you need to remove the DNS record that allows for a subdomain on "ftp" or any other subdomain you don't necessarily own. Before that, in order to gain access to your search console and remove other members you can add a TXT record to verify your ownership and then remove the bad actors. They won't be able to do HTML verification after you verify with DNS, remove, and then delete the subdomain record.

 

I'm working with a merchant who had this happen where Shopify does not have access/ability to create records and we've done all authentication manually (recommended because it works better anyways). This seems to be an issue with GoDaddy, not Shopify.

 

On the positive, Google views subdomains as separate entities so it's not likely that your primary URL property has been damaged but this is something you want to manage as quickly as possible.

 

If you don't have your primary property set up as a Domain property, would recommend that as well because you'll receive emails then whenever a new URL-prefix property is created.

Freelance Web Developer + Shopify Expert
Alice14
Excursionist
15 0 15

I just want to share with everyone that apparently hijacking established Shopify domains is a "thing" in the Indonesian gambling scene in order to improve their SEO. They call it the "Shopify Method". They talk about it on Blackhatworld forums here and here. Given the prevalence of this occurring, more of us need to alert Shopify so that their security team can put a stop to this alarming practice.

 

Even Wired had an episode with the Indonesian gamblers taking over one of their subdomains last year. Read here.

sthr
Shopify Partner
6 0 2

Thank you! I'll try to alert Shopify as well.

David_SL
Tourist
5 0 2

Hi

 

a subdomain was taken over from an indonesian site for us also. Shopify Plus support just pushed the problem on us saying it was our dns issue. However, they allowed a shopify website to host a hacker and maliciously take over a domain. Shopify should not allow a subdomain to be added to a new store without authorisation of the domain owner. I believe everyone here should demand better support and security from a service we all pay a lot for. Google should ensure that tokens can be revoked by the domain admin, rather than the html snippet they use to authorise the domain which cannot be revoked. Two obvious failings.

fcbeautyco
Tourist
10 0 2

I agree completely! I ended up adding the other prefixes of my site onto my google search console, inspected the page source and saw that it was in-fact a Shopify website. They did this with three different prefixes of my domain. Shopify took no accountability at all, kept blaming my dns and telling me to “be patient” even after I told them it was through Shopify. I have spent over a week now dealing with this, and cleaning it up. I’ve also had to individually submit each page onto google search console for the pages to be removed.