As a Shopify Plus merchant, I want to publicly raise a serious and increasingly widespread security issue impacting our storefront — and many others across the platform.
A new, highly persistent bot is exploiting a loophole in Shopify’s backend architecture to generate massive volumes of add-to-cart activity. These bots are hitting both storefront routes (corrupting analytics) and backend endpoints (submitting cart requests), making them especially damaging.
Key characteristics of this exploit:
Uses over 18,000 rotating IPs, making IP blocking ineffective
Mimics common browser user agents and request headers, appearing identical to real users
Then exploits Shopify’s architecture to bypass front-end logic and spam cart activity at scale
The result? Corrupted analytics, inflated ad spend, polluted customer insights, and disrupted merchandising ops.
Third-party app providers have confirmed they cannot stop this bot — because apps operate after the request hits Shopify’s infrastructure. The only viable solution is enforcement at the Cloudflare WAF level, where Shopify — and only Shopify — has control.
Despite detailed escalations and cooperation from third-party providers, Shopify has refused to intervene, instead pointing merchants to app-based solutions that are technically incapable of solving the problem. This is not a store-specific issue — it’s a platform-wide security oversight that Shopify is currently choosing not to address.
If this continues, Shopify risks exposure for knowingly allowing preventable harm to merchants — and a collective legal challenge for negligence may become the only path forward for those suffering operational and financial damage.
We urge Shopify’s infrastructure and security teams to take responsibility and deploy WAF-level mitigations immediately.
Merchants affected by this issue — feel free to comment or connect. We’re stronger together.
We are being affected by this attack as well with hundreds of abandoned carts a day and no way to stop it. Its harming our domain reputation as they create bogus customer accounts that will receive emails and get our domain blacklisted for spam on bounce rates, It is ruining analytics and statistics, jacking up tracking costs due to erroneous traffic. All types of issues. Shopify PLEASE TAKE ACTION TO STOP THIS!
We been working on a waf solution and have successfully blocked bots. Now we’re in cleanup mode (all theirs party integrations need to be checked and updated if needed, these still some unknown seo implications, URLs structure of Shopify nav links needs to be manually updated,…). I need few more days to finalize this then I’ll post what I’ve done (to make sure I don’t give anyone wrong directions )
I have raised the issue with the tech team and was told to use apps. I started using flows to slow it down, which doesn’t work all the time. I am also using Blockify, which seems to be working for some bot traffic but not others. This is getting annoying. I must constantly check the customer list to remove subscribed spam accounts so we don’t ruin our email reputation and deliverability. I don’t understand the endgame for this… What is the benefit?
Yeah this is killing us as well. We’ve tried Blockify and other solutions and as you state it is not helping. This is something Shopify has power over, not us or a 3rd party app. We’re having to manually clean our customer lists all the time. Shopify is not lifting a finger other than giving us the runaround to more apps that “aren’t allowed to do much when it relates to carts creating accounts”. This is more than frustrating as it’s killing our marketing and analytics which are pretty much dead in the water. Sending Emails risks making it worse and advertising our Shopify site feels like a waste of money.
Someone else mentioned consulting a lawyer and I’m starting to think this is reaching that level at this point. How can they not take their customers marketing ability (which they pride themselves on) more seriously than low level support runarounds sending us to 3rd party apps?
We are also suffering from this attack, with more than 500 abandoned orders every day. We contacted customer service, and their reply is always that they have seen this problem and have reported it. They are completely irresponsible.
Not given up yet, but damn p*ssed at Shopify for not fixing this. We’re still dead in the water on our Shopify based .com. If there was ever a reason they would lose the support of their core base, this is it.
Update: I identified most all variations that the bot uses to create bunk accounts in shopify. Since it is at a deeper level, I cannot prevent new accounts but I added flows to identify the patterns and delete the account automatically. This also works most of the time, for unsubscribing the accounts in our email list. Its important to make sure you are not sending emails to these fake accounts because it will mess with your deliverability and reputation.
1. Flow 1 - Start when: Customer Created; Step 2 - Check if: Customer first name is empty or Address is empty or customer last name is empty; Step 3 - Do this: Delete Customer. 2. Flow 2 - Start When: Customer Created; Step 2 - Check it: Customer first name is empty; Step 3 - Do this - Delete Customer
These do similar thing. It is meant to catch what the first does not get. We require new customers to input a First and Last name or at a minimum an initial.
3. Flow 3 - Start When: Customer Created; Step 2 - Check if: Address is equal to “House Number 43. Gray Colony;” Step 3- Delete Customer
I run redundancy because sometimes while one flow is working it could miss accounts so this set up catches 99.9% and deletes them. I don’t need to do much now in Shopify. I just cannot trust our numbers. In addition to this we was able to segment my customers list and run flows on accounts that fit the spam bot criteria. I wiped out nearly 50,000 accounts.
Thanks so much for the Flows. I’m getting an error in the Customer Created trigger (for 2 of the 3 Flows I set up) that says, “Exception: Failed to query data for subsequent steps? Missing resource for customer.” Any idea what this means, how to fix, or is it normal? It appears to be preventing the Flow from running. Thanks in advance jeff@gfJules.com
I get that error occasionally. As long as it completes on some, that means it’s working. If it never completes, you’ll want to check your configuration to make sure it’s correct. I have had to modify flows to get them firing properly.
Thanks. So ‘Completed’ is more indicative than the ‘1 error,’ which just might mean it didn’t come up with any results in that particular run? I don’t know about you, but I created a flow just for > Location String (or whatever they call it) = Bellevue, WA United States AND ‘0 Orders.’ That seems to be 90% of my bots. Zero orders in an ecommerce platform should be a dead giveaway, right, or am I missing something? Thanks again for your help!
That’s a solid first step — I did the exact same thing in the beginning using Arigato Automations and Shopify Flow.
The next (and important) step is to push a custom “bot” metric into Klaviyo (or whatever email platform you’re using) and create a segment of those profiles. Be sure to exclude this segment from all automated flows. The reason is that the sync delay between Shopify/Arigato/Flow automation and Shopify-to-Klaviyo can still cause bot profiles to be pushed into your email lists. This is critical because maintaining your email sending reputation is key — if it drops, you’ll need to re-warm your list, which is a slow and painful process.
Now, if you’re running ads (Search, Shopping, etc.), make sure the data feeding into your ad platforms is also clean. This gets tricky, especially if you’re using Shopify’s Google & YouTube app. Since fake profiles still get created and your session count stays high while conversion rate drops, that low-quality data feeds into Google Ads. PMAx (Performance Max) then starts to assume your campaigns are underperforming and scales down your reach — making it hard to scale spend even if you want to.
One workaround is to switch to manual shopping campaigns and build your targeting around SEO-style keyword segmentation. Just be careful not to scale campaigns too aggressively — aim for no more than 25–30% increases at a time, with enough pause between changes to avoid triggering a fresh learning phase in Google Ads.
Finally, when syncing product feeds from Shopify to Google, I recommend using a first-party data tool as your primary source — especially since GA4 is likely inaccurate in this scenario too.
Reposting the same in this thread so people here can read as well (if they don’t follow the other thread):
That’s a solid first step — I did the exact same thing in the beginning using Arigato Automations and Shopify Flow.
The next (and important) step is to push a custom “bot” metric into Klaviyo (or whatever email platform you’re using) and create a segment of those profiles. Be sure to exclude this segment from all automated flows. The reason is that the sync delay between Shopify/Arigato/Flow automation and Shopify-to-Klaviyo can still cause bot profiles to be pushed into your email lists. This is critical because maintaining your email sending reputation is key — if it drops, you’ll need to re-warm your list, which is a slow and painful process.
Now, if you’re running ads (Search, Shopping, etc.), make sure the data feeding into your ad platforms is also clean. This gets tricky, especially if you’re using Shopify’s Google & YouTube app. Since fake profiles still get created and your session count stays high while conversion rate drops, that low-quality data feeds into Google Ads. PMAx (Performance Max) then starts to assume your campaigns are underperforming and scales down your reach — making it hard to scale spend even if you want to.
One workaround is to switch to manual shopping campaigns and build your targeting around SEO-style keyword segmentation. Just be careful not to scale campaigns too aggressively — aim for no more than 25–30% increases at a time, with enough pause between changes to avoid triggering a fresh learning phase in Google Ads.
Finally, when syncing product feeds from Shopify to Google, I recommend using a first-party data tool as your primary source — especially since GA4 is likely inaccurate in this scenario too.
