How to handle unknown person added as website owner on Google Search Console?

Multiple merchants received Google Search Console (GSC) alerts that unknown owners were added to URL-prefix properties on their domains’ subdomains (e.g., ftp., mail., cpanel.) that resolve to Indonesian gambling pages, often hosted on rogue myshopify.com stores.

Likely cause: unused DNS subdomains (common defaults like ftp/cpanel) pointing via CNAME/A to Shopify enabled attackers to add those subdomains to their own Shopify stores and verify GSC ownership via HTML tag. Some also found injected verification tags/scripts or leftover GSC tokens. Root domains typically remained unaffected in GSC.

What worked for participants:

• In GSC, Add property for the exact subdomain, then Settings > Users & permissions to remove the rogue owner.
• Remove/disable DNS records for unused subdomains (ftp, cpanel, etc.) or forward them to the main site; then re-remove owners in GSC. Verify the site via DNS TXT and set up a Domain property to prevent HTML re-verification.
• In Shopify > Settings > Domains, ensure both apex (example.com) and www versions are connected/redirected correctly.
• Inspect theme.liquid for unexpected google-site-verification meta or injected scripts; remove if malicious.
• Enable MFA and rotate registrar/Shopify passwords; report the rogue myshopify.com store to Shopify for takedown.

Status: widespread and ongoing; reports across GoDaddy, Namecheap, Google Domains/Squarespace. No official Shopify fix posted; support often attributes to DNS configuration. Users shared BlackHatWorld threads describing this “Shopify Method.”