Hi @ponix
I’m glad you were able to locate the liquid file. Are you not able to add Google reCaptcha to it? It’s completely free up to 1,000,000 assessements.
Topic summary
Multiple store owners are experiencing a surge of fake newsletter signups and customer account creations—one reporting over 100 fake signups daily despite minimal legitimate traffic (under 10 sessions/day). These fake entries bypass normal analytics, leaving no trace in traffic data, cart activity, or checkout metrics, appearing only in customer lists.
Key Issues:
- Shopify’s native newsletter signup form lacks built-in security options (no CAPTCHA, no rate limiting per session/visit)
- Third-party solutions attempted (Negate bot protection, Google reCAPTCHA) have proven ineffective
- Disabling newsletter signup, Shop features, and adding custom fields did not stop the attacks
- Fake accounts show random names with legitimate-looking email addresses but no actual engagement
Suspected Cause:
One support representative suggests a script may be injected into the theme itself, as bots are creating accounts without registering as site traffic.
Recommended Actions:
- Contact theme developer to investigate potential code injection
- For Shopify-developed themes, escalate to Shopify’s theme department
- Multiple users report the same problem across different stores, indicating a broader platform vulnerability
The issue remains unresolved and is significantly impacting marketing efforts and data integrity.