Hacked store - additional collections injected into my store

Shopify Discussion

Topic summary

A Shopify store owner discovered 18 unauthorized collections injected into their site, following the pattern “collections/all/hack-discord” or similar variations. These malicious pages are indexed in Google Search Console but cannot be found anywhere in the store’s backend, suggesting a security breach.

Key concerns:

  • The injected collections are invisible within Shopify’s admin panel
  • Pages are already indexed by Google, potentially harming SEO
  • The injection method remains unknown

Current status:

  • At least one other user reports experiencing the same issue with a client’s site
  • A proposed solution involves using robots.txt to prevent these pages from being crawled and disallowing them in Google Search Console

The discussion remains open as users seek to understand the attack vector and find effective remediation strategies beyond blocking the pages from search engines.

Summarized with AI on November 17. AI used: claude-sonnet-4-5-20250929.
1

Hi all,

I’ve just logged into 1 of my test Shopify stores Google Search Consoles only to discover that within the indexed pages are 18 additional collections which have been added in by someone else.

I’ve only just noticed this and they all follow this pattern - collections/all/hack-discord (or something similar) see below.

Screenshot 2023-06-30 at 17.14.52.png
Screenshot 2023-06-30 at 17.14.52.png1388×180 59.3 KB

Has anyone else encountered this because I have no idea how this has been injected into this site!

The strangest thing is that I can’t find them anywhere in the backend of my store!!!

2

I have the same issue with a client’s site. I’m thinking about changing robots.txt to prevent the pages from being crawled and then disallowing them on Google.