i can replicate what these bots are doing just via postman.
https://shopify.dev/docs/api/liquid/tags/form#form-create_customer - the shopify liquid form tag just creates an html form that posts to /account
https://shopify.dev/docs/themes/architecture/templates/customers-register#content - the default form contains 4 fields
so in postman create a form that posts to your domain /account with those 4 fields, and the 2 hidden fields in from the liquid form tag and voila - a fake customer is created in your admin…captcha doesn’t seem to prevent this.
hopefully there is a way to disable POST requests to /account. eh shopify???
i guess you could do this to any shopify store out there…
You can see my postman created account in amongst all the 123, 123 accounts and a few more of my postman tests (im sure you can spot em…)
