We just had a bot place 20 fake orders (I believe within the same second). It went after some hidden $0 products or products set on shopify to $0 but instead had variations/prices controlled through an app. Is there a way to stop this?
I see someone else posted a reply on another topic that is the same issue 11 hours ago. https://community.shopify.com/c/shopify-discussions/bot-placing-abandoned-orders/td-p/2433368
We are having the exact same issue. They even got into a password protected page. Shopify said they are working on it but no estimated time frame of when it will be resolved. We’ve had about 150 bot orders today.
For your store, utilize reCAPTCHA v3. My client just experienced similar problem, which we resolved with reCAPTCHA.
You can use this on product page as well as cart page before checkout.
Hi, we unfortunately had exact same issue. Luckily we were able to cancel all orders.
Steve did you experience the same thing happening again? Or would you have any suggestion how to prevent it. Unfortunately Shopify support is not helpful.
Thanks,
Anna
Same problem here with one of our clients’ stores: 700+ orders in about 3 hours by 95 fake accounts. After testing, we think the culprit is the direct account link found in settings > customer accounts > URL and it looks something like this: https://shopify.com/XXXXXXXXXX/account witht he Xs being your account store ID.
This is a new link added by Shopify last year that allows anyone to create an account without recaptcha. Store owners and developers like us don’t have the ability to customize, edit or disable that link.
What is really needed is for Shopify to give merchants the ability to disable the customer accounts > URL link.
We are still testing but short of changing the $0 products to $0.01, there is nothing that has stopped these fake orders from coming in. We even turned off Shopify payments and disabled the checkout button on the cart temporarily. As far as we can tell, these attacks are coming in through the back end, not through anything that merchants have access to.
Can you add Recaptcha v3 to the settings > customer accounts > URL link?
@emmak18 can you check the fake customers and see if they all have the same domain in their email address? Ours all use the same email domain.
How did you do the server side verification?
All same domain rtremail .com. It was registered a little over a week ago. They are using a catch all for their mail server so the emails dont bounce.
No fix yet. This is a server side issue. I dont think we can fix it. This is the 2nd part of their attack. The next phase is going to be the real problem. I can see many paths forward where they can cause major damage.
More waves keep coming. 109 orders so far and noticed over 5,300 abandoned shopping carts since 1/26.
Yes they are all coming from the rtremail like Steve mentioned. We just received more as of a few minutes ago. Trying to change all items at $0 to a cent. But they are still getting into our password protected pages.
Were you able to move the orders out of unfulfilled? I hate to cancel but still have them sitting as unfulfilled orders
@shamsulhuda There is no option to add reCAPTCHA v3 to the Customer Account URL (direct link) which is how the bot is creating new accounts on our client’s store.
Shopify Partner Support said their dev team asked to keep the fake accounts and orders in our store while they investigate. I would really like to delete them but have not heard anything from them in two days.
I filed a complaint here with NameCheap.com where the rtremail.com domain is registered. I know they can always register another domain but I figured it was worth the 3 minutes it took to report the abuse.
Please contact Shopify support and ask them to disable the Customer Account URL — that is how the bot is able to create accounts on our client’s private store.
We have the same situation - hundreds of fake orders on zero-dollar amounts. They look the same as yours. Shopify hasn’t been much help. We are trying apps right now - but haven’t found an answer. If anyone has suggestions, would sure appreciate it.
UPDATE from Shopify partner support:
“While it is not possible to block customers from creating accounts or placing orders, I would recommend that you install the Flow app from the app store. This is Shopify’s free automation app which will allow you to create workflows that can automatically cancel orders and delete customer accounts coming from the domain @rtremail.com. You can find more details about how the Flow app works from the help center here: Shopify Help Center | Shopify Flow, and I want to share these particular triggers: Cancel order and Delete customer to understand more. Once the app is installed, you will have access to either create your own custom workflows or install templates for these actions directly from the app. Please let me know if you decide to use Flow and I can guide you further on getting these workflows set up.”
So far, the best solution I’ve received.
is this solution working ? have you tried it ?
We are having the same issue. This really needs to be corrected on shopify’s end. These are scripts going through a backend, not through any UI.
HI there, I having the same issue with the bots creating fake customers in every min. Does shopify help you to disable this link and does it work for you? I am still discussing with shopify advisor to see how to solve this, but this is crazy issue!
