Agreed and I did similar steps that you took above, removing registration from my site and editing the code to remove “create account” link and nothing worked. When I finally went into preferences and added the captcha to the registration form, even though it’s not on my front end, I have not received anymore new customers and I check daily. This is a security issue that Shopify needs to get fixed. This is 100% a back end code issue on Shopify’s part.
Topic summary
Shopify store owners are experiencing a persistent issue with fake/spam customer accounts being created despite having reCAPTCHA enabled. The fake accounts share common characteristics: labeled as ‘classic’ accounts, often using placeholder names like “123 123”, and appearing to bypass standard security measures including form validation requirements.
Key findings:
- Standard protections (reCAPTCHA, new customer account system, form validation) are ineffective
- Accounts appear to be created through a backend vulnerability or API exploit, not through visible front-end forms
- Multiple users report receiving hundreds of fake accounts within short timeframes
- Shopify has not publicly addressed the underlying security issue
Attempted solutions:
- Switching to new customer account login system (unsuccessful)
- Commenting out account creation code sections
- Using Shopify Flow app to automatically tag suspicious accounts based on criteria (missing names, zero orders)
- Creating Python scripts to bulk-tag and segment fake accounts for deletion
- Additional verification using ChatGPT to identify disposable emails, gibberish patterns, and bulk sign-ups
Current status: The issue remains unresolved at the platform level. Users are managing the problem through automated tagging and periodic bulk deletion rather than prevention.
1 Like