The story is simple: basically, you can go to your competitors store (or someone can go to your store, if you have accounts enabled) and create unlimited number of customer accounts from the same browser and the same IP address. It takes about 1 minute to create one account if you are not that fast.
Issue breakdown: if you add +1…+9999999 to any email before [email removed] it will still be directed to your mailbox, i.e. yourmail AT yourmail dot com is the same as yourmail+1 at yourmail dot com , etc. So, you can basically, just use one email and create thousands of accounts using the same email.
Shopify’s reply - we only check for email to be unique, not aliases. So, let me get this straight: you can’t create more than one account with the same email, but you can create more than one account with the same email :).
How did this come to light - we had 3000 account registrations in January (in the first 17 days). A lot of the accounts looked like email199 AT gmail and then email12 AT gmail. One mailbox had 196 accounts, others 2,5,11,40,50, etc.
Do know that if someone decides to target you - all they need - is just a single email address and Shopify does not feel that it’s a security breach at all.