Update: I believe I have solved this but will confirm in a couple of days assuming no more accounts are created.
In case anyone else is having the same issue and would like to resolve it, this is the approach I took
Customer accounts can be created in 3 main ways, 1) via the admin by you or the team, 2) via the website, or 3) via an app/api that has the ‘edit customer’ permissions. Within these 3 routes, there are multiple ways accounts are created but categorizing them into these buckets helps with diagnosis.
Firstly, it is important to confirm your and any staff accounts are safe and secure. I would suggest ensuring 2-factor authentication is enabled for all logins and resetting passwords. It is unlikely this is the reason the accounts are being created but it is the most dangerous if it is as someone has access to your account. Lock it down before proceeding. N.B. if the accounts are being created inside admin, the customer timeline will show which user created them so open up one of these customers and look at who created them. If there is a user associated with the creation it will look like this:
Next is to determine if the customer is being created via the website, this is the most likely scenario.
There are multiple ways a customer account can be created via the website, email newsletter sign-up forms, chat widgets, starting an order, registering an account etc.
Most of these routes will leave a clue on the customer account, for example, it is likely that if the account is being created via a newsletter sign-up form then the account will have the tag ‘newsletter’, or if it is via a pop-up sign-up form it may have a tag of the app you are using for the pop-up. Look at the tags on these accounts for clues as to where the account is coming from.
Also, check your abandon carts to see if there are abandon carts matching the customers you are seeing in your customer list.
Next, we need to consider account registration. (This is where mine were coming from). Shopify has a feature allowing customers to create an account with your store enabling them to track past orders etc. I strongly believed my customers were not coming from this route as I had customer accounts disabled. However, the account registration page still potentially exists for your store even if you have accounts disabled. Open a browser and go to ‘your-url/account/registration’ and you will see a sign-up page for your customers.
The first, and easiest thing to do, is to enable CAPTCHA in your online store settings. If you are using a Shopify theme this will likely fix the issue. If, however, you are using a non-Shopify theme or you have edited the code on this page, CAPTCHA may not display and therefore will not fix the issue.
I use a premium theme and it seems that the theme does not correctly enable CAPTCHA when the setting is set to show it. This is something I will be feeding back to the theme creators. However, as I don’t use customer accounts at the moment, I simply went to my theme and went to customize. Under the drop-down where you can select which page you are editing, I navigated to the customer registration page. Once here, I removed the sign-up form from the template.
Since doing this I have had no new fake accounts created (so far) leading me to believe this was the issue. I will give it a couple more days to be 100% sure and then I will work with the theme developer to fix the issue correctly by ensuring CAPTCHA works on the page.
My process was long but methodical. I think this is the important thing, try to determine which of the high level routes your accounts are coming from so you can then dive deeper. Before I took this approach I was randomly deleting apps and hoping for the best!
I will post an update in a couple of days with confirmation that this has resolved the issue and I hope this post is useful to someone else experiencing the same or similar issue.
