Clicking on invoice link bypassed login and password

Shopify Discussion
,

Topic summary

A Shopify user accidentally triggered a two-factor authentication SMS to a customer while testing an invoice link. They were concerned because no login/password page appeared, making the customer suspicious of fraud.

Key Finding:

  • Shopify support clarified this is working as designed
  • When logged into the Shopify admin account, staff can access customer accounts without needing the customer’s credentials
  • The system automatically sends an SMS notification to customers when their account is accessed for transparency

Resolution:

  • The behavior is intentional, not a bug
  • The SMS notification serves as a security measure to inform customers of account access
  • Issue resolved through support contact
Summarized with AI on November 2. AI used: claude-sonnet-4-5-20250929.
1

I’m new to Shopify for my new job. My colleague sent me a Shopify invoice link to send to a customer. When I pasted it into the email and clicked on it to ensure the hyperlink was working, the page automatically sent a two-factor authentication code to the customer’s SMS right away. I didn’t see any login and password page at all. Now, the customer thinks I’m a fraud.

This issue has been plaguing me for the past few days. I haven’t been able to find any articles about someone being able to log into a customer’s account this way. I also saw that the new Shopify Customer account sends one-time login codes to emails but not phone numbers.

Was I unlucky to encounter a bug? Was this working by design? I’m worried that the customer will think I accessed her account again if any of her accounts get hacked in the future

2

Could you post a (redacted) version of the link? That may help diagnose this

3

I contacted Shopify support. Turns out when I’m logged into my Shopify admin account, I don’t need the customer’s login and password to access their account. But for transparency, the customer will receive an SMS notification regarding the login.