Shopify store owners are experiencing a persistent issue with fake/spam customer accounts being created despite having reCAPTCHA enabled. The fake accounts share common characteristics: labeled as ‘classic’ accounts, often using placeholder names like “123 123”, and appearing to bypass standard security measures including form validation requirements.
Key findings:
Standard protections (reCAPTCHA, new customer account system, form validation) are ineffective
Accounts appear to be created through a backend vulnerability or API exploit, not through visible front-end forms
Multiple users report receiving hundreds of fake accounts within short timeframes
Shopify has not publicly addressed the underlying security issue
Attempted solutions:
Switching to new customer account login system (unsuccessful)
Commenting out account creation code sections
Using Shopify Flow app to automatically tag suspicious accounts based on criteria (missing names, zero orders)
Creating Python scripts to bulk-tag and segment fake accounts for deletion
Additional verification using ChatGPT to identify disposable emails, gibberish patterns, and bulk sign-ups
Current status: The issue remains unresolved at the platform level. Users are managing the problem through automated tagging and periodic bulk deletion rather than prevention.
Summarized with AI on October 25.
AI used: claude-sonnet-4-5-20250929.
I’ve been trying to combat the issue of fake/spam customer accounts from being made. I am not entirely sure how they are being made, but after reading articles, and other posts on here - I sort of understand how.
I have done everything I can to combat the issue, my reCAPTCHA is and always has been enabled and yet these accounts are somehow still able to be made.
They are relatively all different, some you can tell the e-mails are just made up, and others can pose as legit e-mails but the names are made up.
Has anyone been able to actually curb this from the source?! I have a form sign up set up and that is what most of my customers use, however these fake ones have one thing in common, and that is their account is labeled ‘classic’
any help, guidance, or advice is much appreciated!
Thanks for this advice! We are also facing this issue, especially recently. We see about 10 new spam accounts created per hour. I just deleted 8,000 fake accounts last night.
I followed your advice to switch to “New customer accounts” and confirmed that the old flow is disabled, but it does not seem to have helped. Since switching the option last night, I see about 120 new accounts created, as recently as a few minutes ago.
Here are some observations:
The accounts have a first/last name filled in
They do not have an address (only a “default address” consisting of their name and “united states”)
They have no orders
They are subscribed to email marketing
Their timeline starts with “Customer was created.”
I think that last point is interesting because when someone signs up through my site, it says something different: “Online Store created this customer.”
I just switched to the new customer accounts log in and it didn’t work. 3 fake accounts just came through. It seems like they’ve found a vulnerability within Shopify and are exploiting it. Nothing we do on our end works and if Shopify refuses to fix, we’re stuck deleting thousands of fake accounts constantly.
Same exact problem here. Nothing I’ve tried works. Re-captcha decided to stop working on the challenge page and all I see is a button without the challenge so no one can submit a form via contact or newsletter, so I had to disable it. Even with it on, they were still creating accounts without form submission. Switched to new customer accounts and that didn’t work. They’ve found a hole that Shopify needs to close. The majority of apps available to either IP block or control spam have bad reviews and end up hurting more than they help so we’re stuck in an endless loop until Shopify fixes it.
Unfortunately that doesn’t work. I had 8 come through in the last 10 minutes while new customer accounts was enabled. Many others are seeing the same pattern. They found a hole within Shopify and nothing we do on our end stops it. Even with reCaptcha, they still get through.
Same exact problem here, e.g. from this one user alone, with First Name: 123 and Last Name: 123, I have received 270 fake accounts in the last couple of daysEven though I updated the registration form to only accept letters in the first and last name fields, they still somehow managed to bypass those requirements.
I’ve read most of the posts here about the same issue, and I am stunned by how none of them include any public sharing of thoughts or plans from the Shopify team on how to stop this issue of API customer creation.
Also an app isn’t going to fix a backdoor vulnerability that is being exploited in Shopify. Most of us are not having these fake accounts created by any front door customer log in, newsletter or contact page because Shopify will show where those customers originated from if any of these options were used. The new fake accounts are created through other means and Shopify needs to patch it up.
Also If we have to use and pay a 3rd party apps for fundamental stuff like customer Registration, then what are we paying Shopify for?
Handing our customer’s info to another app just for registrations doesn’t sit right.
Exactly this. Shopify claims to care about the privacy of our customers, yet the only option to get around the vulnerability that they caused is to use a third party app where we have no control over what they do with our customer data. Make it make sense.
I have exactly the same issue with exactly the same 123 123 name. Thanks for sharing & yes, it’s a real issue/shame that Shopify are not hotter on this.
I did a test on Saturday after getting daily fake account creations and it seemed to work for now. When I added the Captcha also for my login, create account and password recovery pages, I only had 1 come through on Sunday morning and zero today. I was getting 30 to 50 per day. It’s the only fix that actually did something until Shopify fixes the issue.
I’m seeing the same issue in our Shopify stores. We use an app called “Blocky” and blocked a few countries as well as robots that we thought this may be coming from but that didn’t do anything. I think it’s a script injection through a vulnerability in Shopify and has nothing to do with blocking ip’s or email addresses or robots. I just reported the issue to Shopify. They requested screen shots but didn’t have an immediate solution.
We’re having the exact same problem. Hundreds of fake/spam customer accounts are being created a day. Originally, they all had the first name of “123” and last name of “123”, but with seemingly-real email addresses. No other data is on the account. The Shopify timeline feed for the customer just says “customer created”.
ReCaptcha is NOT a solution because these spammers are not using the front-end registration form. We don’t allow customers to register directly, and there was no link to the registration page on our Shopify store anywhere when this started happening. But, since the registration page was still technically accessible if you knew the URL, we then edited the registration page template and completely removed the form. The spam customers are still being created.
@Shopify_77 , this is a security hole that need to be fixed, please. Something like CSRF token protection on the server side (and front-end form) could probably prevent this. Whatever solution is employed, this needs a resolution because many are being negatively affected.
Agreed and I did similar steps that you took above, removing registration from my site and editing the code to remove “create account” link and nothing worked. When I finally went into preferences and added the captcha to the registration form, even though it’s not on my front end, I have not received anymore new customers and I check daily. This is a security issue that Shopify needs to get fixed. This is 100% a back end code issue on Shopify’s part.
How did you manage to remove the Create Accounts link?
We’re having a similar issue, with a few hundred fake accounts being made every day - and similar to some others here, we don’t even allow regular signups so as people are saying there must be some exploit the bots are using. We’d rather not switch on reCAPTCHA as our customer base tend to be on the technically challenged side and we’ve had complaints when trying to use it in the past - annoyingly there doesn’t seem to be any means of enabling Captcha for account creation only without also enabling it for logins.
Oddly when I edit the code to comment out (or even flat out remove) the ‘Create account’ link on the login page it bizarrely still persists. Even stranger, when I tried deleting the registration page entirely, the link still worked and redirected to a much simpler account creation page that I’ve never even seen before!
Am I doing something wrong here? Like many of you I’m absolutely baffled as to why we’re suddenly getting so many fake accounts.
