A critical vulnerability in Shopify’s domain connection process allows unauthorized users to hijack domains that are pointed to Shopify’s IP addresses but not yet attached to a store.
How the exploit works:
Attackers identify domains with DNS records pointing to Shopify but not connected to any shop
They connect these domains to newly created Shopify stores without authentication
This false ownership allows them to verify Google Merchant accounts and manipulate search engine indexing
Impact on victims:
Loss of Google Merchant account control
Disruption of organic traffic and daily sales
Inability to reconnect domains (error: “already registered to another store”)
Extended resolution times despite urgent support requests
Shopify’s response:
An official representative confirmed this is intentional design to “ease onboarding,” relying on users quickly connecting domains after DNS updates. While affected stores are eventually frozen, no authentication requirement exists to prevent initial hijacking.
Current status:
Multiple users report experiencing this exploit, with one noting two separate incidents within days. The vulnerability remains unaddressed, raising concerns about platform security priorities.
Summarized with AI on November 1.
AI used: claude-sonnet-4-5-20250929.
I recently woke up to find that my clients Google Merchant account had been verified and claimed by someone else. Upon further investigation, I discovered that the the domain, hiltontextiles.com, was being redirected to another Shopify store: (https://312606-6e.myshopify.com). After digging deeper, I confirmed that the domain itself is still securely held with the clients domain provider so the domain itself was not hijacked. However, it appears that the hijacker somehow managed to verify and claim our domain through another Shopify store. This allowed them to set up a new Google Merchant account, falsely verifying that they own the domain, which they do not.
I attempted to resolve this by deleting the DNS records linking our domain to Shopify and re-adding them with new verification codes. Unfortunately, I received an error stating that the domain is already registered to another Shopify store. A few days later, I received a message that the store associated with our URL has been frozen.
This seems to expose a serious flaw in Shopify’s system, allowing a hacker to claim ownership of a URL that doesn’t belong to them. To make matters worse, Shopify’s customer support has been unhelpful. Despite raising this issue, I’ve been repeatedly told that it’s being investigated, but no progress has been made.
If this is indeed a bypass on Shopify that allows someone to “claim” a URL they don’t own, it could pose a significant threat to many merchant accounts. Meanwhile, we are losing sales daily as none of our organic URLs are working, and we’ve received no meaningful updates from Shopify.
Can anyone offer insight on how to resolve this issue? Could this be a broader vulnerability within Shopify’s platform?
Hi there, @DJ7 ! Thanks for taking the time to reach out to the Shopify Community Forums regarding this situation with your domain! My name is Imogen. It’s great to connect with you! I’m jumping in here to provide some context around what you’ve experienced!
In order to ease onboarding onto Shopify, we have made adding new domains simple by not requiring authentication. This normally works well due to the short amount of time between updating DNS to point a domain at Shopify and connecting a domain to your shop.
In this case however, your domain was pointed to Shopify IP addresses, but not attached to a shop. Someone happened to notice this, and connected it to a new shop, which we have since closed down. They never had access to any private information about you or your customers.
As a follow up to this, you’ll want to look into the following next steps:
Review and update your DNS configuration to ensure that it only contains domains that you are actively using on a shop.
I hope this information helps shed some light on what you’ve experienced! Thanks again for taking the time to reach out to the Shopify Community to bring your experience to our attention.
Thank you so much for providing such a detailed explanation of what happened. In my view, there should be preventive measures in place to stop hijackers from exploiting this kind of loophole in the first place. This issue allowed someone to falsely claim ownership of our domain and take control of our Google Merchant account. While Shopify has since resolved the matter, it took quite some time to do so. I really appreciate your help again! Wishing you well
Same happened last week twice with only days between two domains. They somehow find old domains still pointing to Shopify, take over domain with Shopify, auth on Google Search by verifying control of domain (which Shopify has unlawfuly granted them), make change for search engine to index domain, delete their user on Google Seaech.
Clearly Shopify has a gaping hole being used by hackers and Shopify chooses to ignore it. Seing the date on this post and the reply saying it is “by design", indicates that Shopify is ok with it. Money is money I guess.
Hi @user2609 Contact a shopify support advisor DIRECTLY for such matters on the help pages chat.
type “support advisor” to try and get past the chatbot faster http://help.shopify.com/
For any copycat domains also pursue a fraud report, DMCA or merchant
Contact a shopify support advisor DIRECTLY for such matters on the help pages chat.