Shopify store owners are experiencing a persistent issue with fake/spam customer accounts being created despite having reCAPTCHA enabled. The fake accounts share common characteristics: labeled as ‘classic’ accounts, often using placeholder names like “123 123”, and appearing to bypass standard security measures including form validation requirements.
Key findings:
Standard protections (reCAPTCHA, new customer account system, form validation) are ineffective
Accounts appear to be created through a backend vulnerability or API exploit, not through visible front-end forms
Multiple users report receiving hundreds of fake accounts within short timeframes
Shopify has not publicly addressed the underlying security issue
Attempted solutions:
Switching to new customer account login system (unsuccessful)
Commenting out account creation code sections
Using Shopify Flow app to automatically tag suspicious accounts based on criteria (missing names, zero orders)
Creating Python scripts to bulk-tag and segment fake accounts for deletion
Additional verification using ChatGPT to identify disposable emails, gibberish patterns, and bulk sign-ups
Current status: The issue remains unresolved at the platform level. Users are managing the problem through automated tagging and periodic bulk deletion rather than prevention.
Summarized with AI on October 25.
AI used: claude-sonnet-4-5-20250929.
It’s really disappointing that Shopify has done nothing to help this, especially because accounts created this way are getting imported into our MailChimp mailing lists, leading to lots of spam! They’ve essentially turned every Shopify store into a spam bucket.
All of our legitimate customers’ Customer History starts with an entry that they were created by the Helium Customer Fields app (or one of our custom API apps):
Whereas these spam ones report that they are created through the Online Store:
I’ve asked Shopify Support for more details to determine how these customers are created, but to no avail. They just checked my hCaptcha settings.
I don’t seem to be able to edit my comment, but in viewing my MailChimp subscriber lists (since these customers got passed through to our MailChimp mailing lists!), it looks like the flood of 16,000+ email addresses (including variations of the same name, e.g. abc@gmail.com, a.bc@gmail.com, a.b.c@gmail.com ) started being added on 2024-09-15.
Luckily, in our case, the customers can be identified in Shopify by a lack of a name and we’ll set up a daily Mechanic automation to review recent new customers and delete the nameless ones. We’ll have to do this manually in MailChimp every time we send out a campaign.
It looks like the spam accounts stopped being created in my store 12 days ago, so hopefully Shopify finally fixed the issue that was leeting this happen.
Here’s how you can bulk delete the accounts:
Create a customer segment that starts with the following:
customer_account_status = 'DISABLED' AND orders_placed(count_at_least: 1) = false
Add a few “AND customer_tags NOT CONTAINS ‘tagname’” where ‘tagname’ is a customer tag for valid customers that were created.
Export the list, then open it in a spreadsheet software like MS Excel, LibreOffice Calc, or Google Sheets.
In the spreadsheet software, apply a filter on the “tags” column to look for potential real customers, and sort by other columns to review for other factors to use to adjust the Shopify customer filter.
When you’re satisfied with the customer filter, save it as a segment.
Select all customers that show up in the filter and bulk delete them.
Actually, I was wrong. They didn’t stop, they just found a way to make the customers appear as enabled, which didn’t show up in my filter.
However, upon further research, I did find that all such spam customers have “Online Store created this customer” (which is not the case for any of my legit customers, which are created by the Customer Fields app, by an admin, or by a custom app). If you are familiar with building apps using the Shopify GraphQL API, the following query returns the customer timeline, which can then be searched for the string “Online String created this customer”. I’m working on an automation using the Mechanic app to identify such customers, tag them, and then delete them.
Hi, did anyone resolve this? It has recently started happening to our store and although we have contacted support, there seems to be no solution! Many thanks
How does this work on the Shopify end? Sure it’s easy to delete rows from an Xcel spreadsheet. How to get the real customers back in? Or, how to get the fake customers out? Are you saying export the entire list of fakes and reimport the segment? Will that actually delete everyone from the segment?
Yes I am able to segment all the fake customers
Shopify will only show 50 per segment page on the admin end (if they showed 500 at a time it would be easier!!!).
I now have 12,000 fake customers in my “fakes” segment, I’m gonna click 50 at a time and delete all 240 times
I’ve been doing this for weeks but it’s getting ridiculous now. 12,000? Someone’s having a laugh. Not me.
To deal with fake accounts cluttering the customer list, I set up an automation using the Shopify Flow app. The workflow automatically tags any new customer accounts that have no first and last name and an order number of 0. (You can customize the rules based on what you’re seeing on your end.)
Once these accounts are tagged, you can create a segment that filters by those tags and bulk delete them on a daily/weekly/monthly basis with just one click!
Now, if you’re trying to clean up existing fake accounts that weren’t tagged when they were created, that’s a bit trickier. In my case, I wanted to tag all accounts missing both a first and last name, as well as those with no order history — but Shopify doesn’t let you segment customers using the first_name and last_name filters.
So I wrote a Python script to loop through my entire customer list, tag the fake ones, and then used that tag to create a segment for easy removal. I didn’t want to risk losing legit customers by exporting a CSV, manually cleaning it, and reimporting it —especially with a customer base of over 95K.
This approach felt much safer and gave me more control. Hope it helps!
Legacy systems used by classic accounts can disable reCAPTCHA completely. Alternatively you can disable classic accounts entirely by using new customer account settings tab under Settings > Customer Accounts. Additional filtering can be done with the help of bot-blocking apps like Shop Protector and an IP firewall through Cloudflare to mitigate signups from automated bots.
You’re right! I figured it was not enough. After running the script and exporting all “likely bot” accounts into a CSV, I did an additional check through ChatGPT based on the following key criteria:
Disposable email domains
Gibberish or random email handles
Duplicate local parts across different domains
Bulk sign-ups within the same minute
Repetitive address lines
Invalid or placeholder phone numbers
This helped me sift through the less obvious accounts into a separate CSV. After that, I tested those by sending email campaigns to see if there was any real engagement, such as open rates and bounce rates.
Of course, there’s always a risk of removing legitimate sign-ups in the process. But when you’re dealing with an overwhelming number of accounts that clutter the CRM and pollute your data, it’s sometimes worth accepting the loss of a few inactive or non-ordering customers to maintain a clean database.
