Also be a pal and mark it as a solution if it helped you
Topic summary
Unfamiliar, cryptic domains (e.g., *.shopifypreview.com) appeared in Facebook Events Manager under Traffic Permissions → Allow list alongside the primary domain, raising concerns about possible misuse or compromise of the Facebook pixel.
Possible causes discussed:
- Innocent: events fired from Shopify preview/test or Facebook Pixel’s Test/Preview mode; check if dates align with your testing.
- Unauthorized use: other sites pasting your pixel and sending traffic/events; may include “bad actors” or competitors.
Recommended actions (per Facebook help and user suggestions):
- Restrict the Allow list to only your own domain(s) so attempts from other domains are blocked.
- Remove unknown domains from Allowed and/or add them to a Block list.
- Audit pixel usage and compare suspicious domains’ activity with your test timelines.
Resources shared:
- Facebook Business help article on Traffic Permissions and allow/block lists.
- A detailed guide post by the OP explaining how to check if you’re affected.
Outcome/status: No confirmed root cause; multiple hypotheses remain. Consensus leans toward a security-first approach—limit Allow list to trusted domains and block unknown entries while investigating.