How can I prevent fake customer accounts on my website?

Shopify Discussion

Topic summary

Shopify store owners are experiencing a persistent issue with fake/spam customer accounts being created despite having reCAPTCHA enabled. The fake accounts share common characteristics: labeled as ‘classic’ accounts, often using placeholder names like “123 123”, and appearing to bypass standard security measures including form validation requirements.

Key findings:

  • Standard protections (reCAPTCHA, new customer account system, form validation) are ineffective
  • Accounts appear to be created through a backend vulnerability or API exploit, not through visible front-end forms
  • Multiple users report receiving hundreds of fake accounts within short timeframes
  • Shopify has not publicly addressed the underlying security issue

Attempted solutions:

  • Switching to new customer account login system (unsuccessful)
  • Commenting out account creation code sections
  • Using Shopify Flow app to automatically tag suspicious accounts based on criteria (missing names, zero orders)
  • Creating Python scripts to bulk-tag and segment fake accounts for deletion
  • Additional verification using ChatGPT to identify disposable emails, gibberish patterns, and bulk sign-ups

Current status: The issue remains unresolved at the platform level. Users are managing the problem through automated tagging and periodic bulk deletion rather than prevention.

Summarized with AI on October 25. AI used: claude-sonnet-4-5-20250929.
46

Actually, I was wrong. They didn’t stop, they just found a way to make the customers appear as enabled, which didn’t show up in my filter.

However, upon further research, I did find that all such spam customers have “Online Store created this customer” (which is not the case for any of my legit customers, which are created by the Customer Fields app, by an admin, or by a custom app). If you are familiar with building apps using the Shopify GraphQL API, the following query returns the customer timeline, which can then be searched for the string “Online String created this customer”. I’m working on an automation using the Mechanic app to identify such customers, tag them, and then delete them.

{
   customer(id:"gid://shopify/Customer/<