How to handle unknown person added as website owner on Google Search Console?

Shopify Discussion

Topic summary

Multiple merchants received Google Search Console (GSC) alerts that unknown owners were added to URL-prefix properties on their domains’ subdomains (e.g., ftp., mail., cpanel.) that resolve to Indonesian gambling pages, often hosted on rogue myshopify.com stores.

Likely cause: unused DNS subdomains (common defaults like ftp/cpanel) pointing via CNAME/A to Shopify enabled attackers to add those subdomains to their own Shopify stores and verify GSC ownership via HTML tag. Some also found injected verification tags/scripts or leftover GSC tokens. Root domains typically remained unaffected in GSC.

What worked for participants:

  • In GSC, Add property for the exact subdomain, then Settings > Users & permissions to remove the rogue owner.
  • Remove/disable DNS records for unused subdomains (ftp, cpanel, etc.) or forward them to the main site; then re-remove owners in GSC. Verify the site via DNS TXT and set up a Domain property to prevent HTML re-verification.
  • In Shopify > Settings > Domains, ensure both apex (example.com) and www versions are connected/redirected correctly.
  • Inspect theme.liquid for unexpected google-site-verification meta or injected scripts; remove if malicious.
  • Enable MFA and rotate registrar/Shopify passwords; report the rogue myshopify.com store to Shopify for takedown.

Status: widespread and ongoing; reports across GoDaddy, Namecheap, Google Domains/Squarespace. No official Shopify fix posted; support often attributes to DNS configuration. Users shared BlackHatWorld threads describing this “Shopify Method.”

Summarized with AI on December 20. AI used: gpt-5.
27

Hi JJL – thank you for your kind advice. Your tip concerning having the Domain Setting in Shopify pointing to both www.MYSHOP.com as well as MYSHOP.com is key to unlocking the whole fiasco for me. I only had www.MYSHOP.com and MYSHOP.myshopify.com listed. I think that’s how the Indonesian hijacker exploited my URL. They added MYSHOP.com as a property on Google Search Console and had themselves verified as owner by adding the Google owner HTML code to their Shopify store page … then they added MYSHOP.com to their Shopify Domain setting, thereby stealing my URL for their nefarious purposes. So in my situation, it had nothing to do with my Godaddy DNS settings, but everything to do with Shopify allowing these hijackers to use a version of another Shopify store’s URL without permission. Who knew removing the WWW. in front of the store name creates such a security risk? For an average person without a computer programming background like myself, this has certainly been an eye-opening experience.

So for everyone reading this, please double check your Domains under your Shopify setting, and make sure you have both versions of your URL (with and without www) included. Set one as primary and have the others redirect to your primary within Shopify’s Domain settings!

And look at the source code on the Indonesian gambling page. If you see their Shopify store name in the source code like I did, contact Shopify and let them know. Shopify did take down the Indonesian store in my case, after I let them know which store to take down.

1 Like