Discuss and resolve questions on Liquid, JavaScript, themes, sales channels, and site speed enhancements.
I have fake customer accounts being created and I need to find out how they are being created so I can stop them.
The accounts have a random string for first and last names and what looks like genuine email addresses for the email. They have a range of domains including Gmail, Hotmail, ,MSN etc as well as provide email domains for companies.
I do not have customer accounts enabled. I have removed email signup forms. As far as I can tell there is no way to create an account via the website (although I may be wrong).
I have removed a bunch of apps with edit customer permissions including the google sales channel which I understand is known for this type of issue. Nothing I do is stopping them.
There are no other logins to my shopify and if I manually create an account it shows in the customer's timeline that I was the one to do it.
I have granted no API access or created any access tokens.
I am at a complete loss and shopify's response so far has been 'enable captcha' and 'try an app'
Hoping someone may be able to guide me on what to check and what logical steps I can take from here
Solved! Go to the solution
This is an accepted solution.
I simply went to my theme and went to customize it. Under the drop-down where you can select which page you are editing, I navigated to the customer registration page. Once here, I removed the sign-up form from the template.
Following, as the same thing is happening to me
Do yours look the same as this?
What theme are you using?
What apps do you have that have 'edit customer information' permission?
Trying to see if there are any commonalities between our set ups that might point to the issue.
Yes, that's exactly what mine looks like. But I think I fixed it just by turning on captcha in the Shopify settings. I did this yesterday and haven't gotten any new fake accounts since then.
I followed the instructions here under Activate or deactivate reCAPTCHA on online store:
https://help.shopify.com/en/manual/online-store/setting-up/preferences
Thanks, looks like our issues are not the same then as I have already enabled CAPTCHA and still have the issue
recaptcha still is not helping
mine look like that
I am also seeing the same thing and am having to manually delete the accounts. No idea how these got onto our site as we do not allow anyone to set up their own account and the webcart is password protected.
I may have solved the issue on my side. It's too early to say for certain but I am hopeful. I will list the process I have taken so you can follow. I will happily help you resolve this
Update: I believe I have solved this but will confirm in a couple of days assuming no more accounts are created.
In case anyone else is having the same issue and would like to resolve it, this is the approach I took
Customer accounts can be created in 3 main ways, 1) via the admin by you or the team, 2) via the website, or 3) via an app/api that has the 'edit customer' permissions. Within these 3 routes, there are multiple ways accounts are created but categorizing them into these buckets helps with diagnosis.
Firstly, it is important to confirm your and any staff accounts are safe and secure. I would suggest ensuring 2-factor authentication is enabled for all logins and resetting passwords. It is unlikely this is the reason the accounts are being created but it is the most dangerous if it is as someone has access to your account. Lock it down before proceeding. N.B. if the accounts are being created inside admin, the customer timeline will show which user created them so open up one of these customers and look at who created them. If there is a user associated with the creation it will look like this:
Next is to determine if the customer is being created via the website, this is the most likely scenario.
There are multiple ways a customer account can be created via the website, email newsletter sign-up forms, chat widgets, starting an order, registering an account etc.
Most of these routes will leave a clue on the customer account, for example, it is likely that if the account is being created via a newsletter sign-up form then the account will have the tag 'newsletter', or if it is via a pop-up sign-up form it may have a tag of the app you are using for the pop-up. Look at the tags on these accounts for clues as to where the account is coming from.
Also, check your abandon carts to see if there are abandon carts matching the customers you are seeing in your customer list.
Next, we need to consider account registration. (This is where mine were coming from). Shopify has a feature allowing customers to create an account with your store enabling them to track past orders etc. I strongly believed my customers were not coming from this route as I had customer accounts disabled. However, the account registration page still potentially exists for your store even if you have accounts disabled. Open a browser and go to 'your-url/account/registration' and you will see a sign-up page for your customers.
The first, and easiest thing to do, is to enable CAPTCHA in your online store settings. If you are using a Shopify theme this will likely fix the issue. If, however, you are using a non-Shopify theme or you have edited the code on this page, CAPTCHA may not display and therefore will not fix the issue.
I use a premium theme and it seems that the theme does not correctly enable CAPTCHA when the setting is set to show it. This is something I will be feeding back to the theme creators. However, as I don't use customer accounts at the moment, I simply went to my theme and went to customize. Under the drop-down where you can select which page you are editing, I navigated to the customer registration page. Once here, I removed the sign-up form from the template.
Since doing this I have had no new fake accounts created (so far) leading me to believe this was the issue. I will give it a couple more days to be 100% sure and then I will work with the theme developer to fix the issue correctly by ensuring CAPTCHA works on the page.
My process was long but methodical. I think this is the important thing, try to determine which of the high level routes your accounts are coming from so you can then dive deeper. Before I took this approach I was randomly deleting apps and hoping for the best!
I will post an update in a couple of days with confirmation that this has resolved the issue and I hope this post is useful to someone else experiencing the same or similar issue.
Good job sleuthing and great explanation! Thanks for sharing, as I think this will surely help many other users.
Hi everyone,
Just to add something I realized today.
Have been experiencing the same issue from a time ago. Since we're doing several changes in the store (adding new products, changing suppliers, etc.), we set the store with password, however the new fake accounts continue being created.
Have added the captcha and hope to stop this problem.
Good luck to all!
Hello,
We have been experiencing the same issue as well. Did this work?
This is an accepted solution.
I simply went to my theme and went to customize it. Under the drop-down where you can select which page you are editing, I navigated to the customer registration page. Once here, I removed the sign-up form from the template.
I did this too - I am getting a few signups per week with fake emails?
Check to make sure you have CAPTCHA enabled. See Shopify CAPTCHA settings.
If you are using the Customer Fields app, see our spam protection guide with adjustable sensitivity for reCAPTCHA. You may be able to prevent these spam sign ups by increasing the sensitivity of reCAPTCHA.
The fake customers might not affect you at all.
Your email list should only include those who have opted into marketing, but if these fake accounts have opted into marketing than you might pay more to your ESP for additional contacts. In that case, it would be best to delete the fake accounts as to not incur unnecessary charges.
Otherwise, fake accounts do very little harm to most DTC sites besides add unwanted clutter. More of an annoyance than anything.
The real harm comes to B2B or members-only sites who have restricted pages for customers only. In that case, I would recommend using an app like Customer Fields who have an account approval feature.
This solution did not work for us. The fake accounts are still being created.
Do you know how to turn off the Shopify welcome email to new accounts so those emails are not repeatedly reported/marked as spam?
Hi everyone. Thank you for the solutions.
I have been inactive for a while and I have over 4k registered fake customers. How does this influence my account and for example organic growth or marketing? And when I delete the fake accounts will everything be back to normal?
Thanks for this thread. I just started having random accounts created about 4 days ago. I upped by Captcha level. We’ll see if that worked.
For those using Customer Fields, see our spam protection guide with adjustable sensitivity for reCAPTCHA.
I'm having the same issue. I deleted over 2k accounts last night and they keep creating them every minute in my shop. I also have no account log in options and already removed the "create account" option from my customer account page. Still doesn't work.
Removing the "create account" option doesn't prevent people from signing up. Web developers and people with the right technical skills know how to hit Shopify's endpoints on the backend to create a customer.
One thing to keep an eye on his HOW the customers are getting created. If you go to the Customers page in your Shopify Admin and click into the Customer detail page for one of these spam accounts, scroll to the bottom and look at how these customers are getting created (see screenshot).
I think the best thing you can do is make sure that reCaptcha is enabled. For those using Helium Customer Fields, you can adjust the sensitivity of Google's recaptcha to be more strict if you're still getting spammed by these bots.
Unfortnately my reCaptcha decided to stop loading the challenge on the challenge page and only had a box which would not let me bypass it which means that customers wouldn't be able to either so I had to disable it. Apparently this is a an issue that Shopify is aware of and nothing we can do on our end is stopping it. Even when I had reCaptcha enabled for years apparently they were creating thousands of fake accounts and only recently did I start to notice because they started using obvious www type links for their name. Only when looking through all of my customers did I notice large clusters with real names that had spammy emails that didn't match the customer so they've been at it a while, even with reCaptcha enabled. They're getting in the back end like you stated and there's apparently not much we can do until they fix it. In another thread someone was told by Shopify that "they're working on it", which can mean years in Shopify time.
I did look to see potentially where these accounts were coming from and they all seem to have the same account creation. Just says Customer was created so it could be coming from my newsletter which has recaptcha or my contact forms which even though I disabled catpcha today due to it not loading properly and not allowing any form submissions, it still prompts it when running tests. Regardless I had captcha for years on my site turned on and over 4k accounts were made in that time.
I only took notice when they stopped using real names and started just posting links, over 2k of them.
Thanks for sharing. Bummer there's not more to go on there.
I shared this in another thread, but there are 3 strategies that might help you, but unfortunately each method requires an app. Our app Customer Fields is one of the solutions. That being said, here are 3 suggested methods to try:
Here are some recommended apps:
I have the same issue of fake accounts. I know I have around 2000 genuine customers,however looking today, after receiving a number of emails from unknown people saying that 'they didnt create an account, what is going on', and now see I have 23882 accounts in my accounts list!
The detail of the account says 'customer was created'.
One name that occurred a lot was '123 123' so started deleting these, however at 50 at a time this would take weeks! So I gave up.
One question I have is why would people/bots do this? What is their purpose, apart from annoying the store owner and flooding the addresses they signed up with 'new account confirmation' email from my site.
I just posted in this thread too. We've tried all the tricks with ZERO results.
No idea what the end game is for the account creator, however store owners run a huge risk of having their emails reported as spam to ISP's which will cause deliverability issues and (in the case of gmail/Google) can reduce search visibility.
So frustrating.
@Javasusie I hear you. This sucks. Apparently, our Helium Customer Fields app is effectively solving this issue for some merchants. This review came in over the weekend.
Our support team is US-based and ready to help if you want to give the free trial a go.
We're getting signups just like this. Very annoying. I deleted a few thousand initially and have been manually deleting them every few days but it's a headache. Have you had any luck finding a way to block the account signups?
Starting a B2B store is a big undertaking that requires careful planning and execution. W...
By JasonH Sep 23, 2024By investing 30 minutes of your time, you can unlock the potential for increased sales,...
By Jacqui Sep 11, 2024We appreciate the diverse ways you participate in and engage with the Shopify Communi...
By JasonH Sep 9, 2024