How can I prevent fake customer accounts on my website?

Shopify Discussion

Topic summary

Shopify store owners are experiencing a persistent issue with fake/spam customer accounts being created despite having reCAPTCHA enabled. The fake accounts share common characteristics: labeled as ‘classic’ accounts, often using placeholder names like “123 123”, and appearing to bypass standard security measures including form validation requirements.

Key findings:

  • Standard protections (reCAPTCHA, new customer account system, form validation) are ineffective
  • Accounts appear to be created through a backend vulnerability or API exploit, not through visible front-end forms
  • Multiple users report receiving hundreds of fake accounts within short timeframes
  • Shopify has not publicly addressed the underlying security issue

Attempted solutions:

  • Switching to new customer account login system (unsuccessful)
  • Commenting out account creation code sections
  • Using Shopify Flow app to automatically tag suspicious accounts based on criteria (missing names, zero orders)
  • Creating Python scripts to bulk-tag and segment fake accounts for deletion
  • Additional verification using ChatGPT to identify disposable emails, gibberish patterns, and bulk sign-ups

Current status: The issue remains unresolved at the platform level. Users are managing the problem through automated tagging and periodic bulk deletion rather than prevention.

Summarized with AI on October 25. AI used: claude-sonnet-4-5-20250929.
42

I don’t seem to be able to edit my comment, but in viewing my MailChimp subscriber lists (since these customers got passed through to our MailChimp mailing lists!), it looks like the flood of 16,000+ email addresses (including variations of the same name, e.g. abc@gmail.com, a.bc@gmail.com, a.b.c@gmail.com ) started being added on 2024-09-15.

Luckily, in our case, the customers can be identified in Shopify by a lack of a name and we’ll set up a daily Mechanic automation to review recent new customers and delete the nameless ones. We’ll have to do this manually in MailChimp every time we send out a campaign.