All things Shopify and commerce
I received this email from Google this morning:
Thank you Ryan, I've done that.
Does anyone know what the ftp. prefix is? Do I own that? Should I be worried that I am being hacked?
Yes, I still have access. How do I remove them?
Thank you for all your help so far, Ryan.
I have just found the rogue owner of the ftp. address in google console. I have removed them but it says that they can just add themselves back again unless I remove a html tag from my homepage. Do you have any idea of how I would find this? How did they gain access in the first place?
I am the owner of the store and there are no staff members. I've checked in Shopify admin and no one else has been added. I've had no emails from Shopify to say that I've had a log in from an unknown device.
I do not have a Partner Dashboard account.
The only thing I've had is the email from Google Search Console saying that an email address (which is unknown to me) has added themselves as an owner of the domain name ftp.(my domain name).
I don't appear to have been hacked but a shopify store does exist at ftp.(my domain name), which I have reported to shopify.
Thanks.
Yes, I did get an email from google with the No.2 I do not recognize. I went to search console and there is no record of any other user/owner being added.
The problem is that it is not my domain name, it is my domain name with ftp. in front of it. Google seems to think that it is a problem. I'm still not completely sure what the ftp. means!! Do I own the ftp. prefix domain name?
Any luck with this? I just woke up to the same problem. No owners except me in the list yet I got 2 of these emails.
''New owner for https / mail dot mydomainname dot com / password
To owner of mydomainname,
Google has identified that xxx has been added as an owner of https / mail dot mydomainname dot com / password
Property owners can change critical settings that affect how Google Search interacts with your site. Ensure that only appropriate people have owner status, and that this role is revoked when it is no longer needed.''
Sorry this is happening to you too.
When you go into Google Search Console, is that subdomain listed or is it only your root domain that you can see? If it's not listed then click on 'ADD PROPERTY' and add the exact subdomain. Once you have done this you will be able to choose that subdomain, click on SETTINGS and then click USERS & PERMISSIONS, you will then see the offending 'owner' and be able to remove them (as the owner of the root domain you have control).
This will leave a 'LEFTOVER OWNERSHIP TOKEN' which you can only delete if you have access to the code on their store, which of course, you do not. So they could potentially add themselves back as an owner.
If you are not using the subdomain then go into the DNS settings where your domain is registered (mine is Godaddy), find the CNAME file associated with the subdomain and delete it. This will take their store down. If you're not sure what effect this will have on your own sites then make a note of the details so that can add it back in again if you need to. I'm guessing you're not using it and that's why it's been hijacked.
I've spoken to a few different people on other forums who have experienced the same thing. Is yours going to an Indonesian gambling site too?
I'm wondering if Shopify is allowing people free trials using any subdomain without checking authorisation. Make sure you contact Shopify about this so that they are fully aware of the problems they are causing.
All the best.
Thank you just did all that hope it helps. Cheers!
This just happened to me too! And yes it's going into a gambling site called Serba88.
How did they add themselves into my domain without my consent? Apparently they did it via HTML Tag, and now i can't remove their ownership!
This is really frustrating and Shopify said it's not their problem but GoDaddy..
I've been talking to people on the Shopify forum and on the Google Search Central Community and there are lots of us having the same problem. It seems to be with people using Godaddy and Shopify and it's when you have an unused DNS file in Godaddy (such as ftp.), malicious users can then create a subdomain of your domain name with this file.
I don't think it's a Godaddy problem, I do not think my Godaddy account was compromised in any way. The problem seems to be that Shopify are allowing malicious users to set up stores using subdomains without any authorisation from the root domain holder.
Have you deleted the DNS file from Godaddy? This will remove the page that the subdomain is pointing to.
Hi, I'm following your trail from GSC Community.
It happened to me as well, based on your info and my own rough research it seems they're exploiting unused sub domain & shopify store? I still don't know how they gained access and shopify support isn't helpful at all.
Thanks for bringing this up!
I am having the same problem with my site, but after deleting the DNS entry relating to FTP two days ago (and removing the unauthorized user from Google Search Console), the Indonesian gambling page is still up. I looked at their page's source code and the Indonesians are using a Shopify storefront xxx.myshopify.com that somehow points to a subdomain of my site. For example, my shop's URL is https://www.MYSHOP.com and the Indonesian set up their gambling page at https://MYSHOP.com
I reported the Indonesian Shopify store to Shopify yesterday, and I was told they will escalate the issue to the relevant department.
Can anyone help with how to get the gambling page taken down? I have contacted Godaddy and Shopify. Godaddy just tells me to report my own site to their team investigating scams, etc. -- which is totally not helpful, as I don't want my own legitimate site taken down! Shopify had me update my DNS entries, change my passwords and said they will look into the Indonesian Shopify store (who knows when?).
Hi Alice14, sorry to hear that this is happening to you too. Scary isn't it?
As the Indonesian gambling site didn't use your ftp subdomain (ftp.yourshop.com) then removing your ftp file from your DNS records will not do anything. It's still a good thing that you've deleted it as you do not need it for a shopify store and it stops it being hijacked by anyone.
Is your own shopify store still up and running? Did you only have https://www.yourshop.com pointing at your store and not https://yourshop.com? Both of those belong to you and you should really have both pointing to your store. I don't really know enough about this to advise you properly but if you go to your Shopify dashboard and then go to SETTINGS and then DOMAINS you should see what domains you have pointing to your store (I have MYSTORE.co.uk as a primary and www.MYSTORE.co.uk as a redirect to my shopify store).
The next bit I'm not too sure about, hopefully someone else might jump in and advise, if you make sure both of those are directed to your store then they will no longer point to the gambling site and it will disappear. Hopefully that makes sense.
My partner started a thread about this in the Google Search Console forum which you can find in the link below, there's a person there that is being really helpful and if you post on that thread then they might be able to help further:
https://support.google.com/webmasters/thread/257728643/unknown-person-added-themselves-as-owner-of-my-domain-in-search-console?
Best of luck with it.
Hi JJL -- thank you for your kind advice. Your tip concerning having the Domain Setting in Shopify pointing to both www.MYSHOP.com as well as MYSHOP.com is key to unlocking the whole fiasco for me. I only had www.MYSHOP.com and MYSHOP.myshopify.com listed. I think that's how the Indonesian hijacker exploited my URL. They added MYSHOP.com as a property on Google Search Console and had themselves verified as owner by adding the Google owner HTML code to their Shopify store page ... then they added MYSHOP.com to their Shopify Domain setting, thereby stealing my URL for their nefarious purposes. So in my situation, it had nothing to do with my Godaddy DNS settings, but everything to do with Shopify allowing these hijackers to use a version of another Shopify store's URL without permission. Who knew removing the WWW. in front of the store name creates such a security risk? For an average person without a computer programming background like myself, this has certainly been an eye-opening experience.
So for everyone reading this, please double check your Domains under your Shopify setting, and make sure you have both versions of your URL (with and without www) included. Set one as primary and have the others redirect to your primary within Shopify's Domain settings!
And look at the source code on the Indonesian gambling page. If you see their Shopify store name in the source code like I did, contact Shopify and let them know. Shopify did take down the Indonesian store in my case, after I let them know which store to take down.
Hi Alice14, that's great news, glad you managed to get it sorted out.
Hi JJL -- I do worry that I've overlooked something though. Because when you link a domain on Shopify, Shopify asks you to add a TXT DNS entry to verify that you own the domain. So how was the Indonesian hijacker able to link https://MYSHOP.com to their Shopify store without my knowledge or permission? I am sure they don't have access to my GoDaddy account, because I don't see another Shopify TXT entry. Now that I have deleted the FTP DNS entry and taken control of the https://MYSHOP.com property, are there still more ways for a hijacker to create a subdomain on my site?
Hi Alice14, I don't think they do have access to our Godaddy accounts (I hope!). Finding the unused subdomains doesn't seem to be difficult, I saw that there are even youtube videos showing people how to do it!! I don't know the details but it doesn't seem to need access to accounts to do it. The finer details of how they point the subdomain to their Shopify store I just don't know. I'm hoping that deleting the DNS entry for the subdomain puts an end to it.
Also jumping on this thread to share that I just received a notification from GSC that another owner had been added with an unknown email address, but also with no subdomain. When I go to www.mysite.com and mysite.com, it's all still pointing to my Shopify store. And the "new owner" isn't actually listed anywhere in my GSC users. I did have an unused token for an email address I'm familiar with, so I deleted that. But I can't figure out exactly what the implications are of my situation, as I'm not seeing any changes to my store.
I use Namecheap, is it possible that Shopify or Namecheap interceded and kept the bad actor for snaking a subdomain? Or my domain entirely?
Adding my name to this forum, same thing happening to me - though instead of Godaddy, my domain is hosted with Google - which is now making the switch over to Squarespace. It appears to be a little tricker to try and delete the ftp portion but I'm working through the steps now. I've contacted Shopify as well to let them know it happened - they said to contact google/squarespace.
The same thing has happened to me! I have been passed around from GoDaddy to HostGator to Shopify, with all of them telling me that everything looks correct on their end, when clearly it is not. Would loved to know if you found a solution. Ive been reading forums and someone said cloudfare has been compromised?
Hello Fcbeautyco,
The solution for me was to delete the ftp subdomain DNS file in Godaddy which the malicious site was using; this took down their store. I still don't really know how it happened but I do not think my security was breached on Shopify or Godaddy. It seems that the hackers found a way to utilise a weakness in the system which allowed them to find unused subdomains and open Shopify stores without authorisation from the domain owner.
If the fault lies anywhere, then I think it is in us for not cleaning up unused DNS files and Shopify for allowing people to open stores using an unauthorised subdomain.
Do they gained access from html-tag verification as well? Mine did that, I remove them immediately. Indeed, it's some kind of automated script injected to html DOM or something.
lmk how it goes!
Also, would you mind DM me the shadow gambling store that points to your url?
In my case it was unused shopify store, I immediately deleted it and didn't get the chance to check the IP addr, I should've checked it first. Now, I'm still left wondering how they got it in the first place. Possibiliities: unused google analyttics verification and (not sure) since google domain my client was using is sold to squarespace, probably there's some vulnerability somewhere.
I got this today too. I initially did not see new users or owners, but then tried adding that EXACT ftp url in the Google Search Console (e.g. https:// ftp. my-web-site. com).
It then revealed the owners and files that had permission. I revoked the access. I have no idea how this happened.
The first email was a gmail account and the next said iam.gserviceaccount
Sorry to hear this happened to you too. Out of interest, where did they point your hijacked subdomains to, was it an Indonesian gambling site too? I have a theory that they are hijacking subdomains so that their IP address is showing as not in Indonesia, as gambling is illegal there.
Seems to be slots
favicon =
This same issue happened to us over the weekend. There were no CNAME or A records so we ended up logging into our domain registrar and forwarding ftp.oursite.com to our main site. Any official update form the Shopify team?
I haven't had any more updates from Shopify. I had a ticket open and was in conversation with one of their team about it; their last reply to me said that they were forwarding the matter to the relevant teams and that they were unable to interfere with Shopify accounts. When I tried to reply I found that they had closed the ticket! Have you contacted Shopify? It's good if more people contact them about it so they know how prolific this is.
Had this happen with a merchant recently as well. Not surprising, but was GoDaddy - which seems to be a common link here.
Would recommend you update all passwords for access to GoDaddy and make sure you've got multi-factor authentication setup as well. Don't use SMS/text as option whenever possible and use an authentication app instead (1Password is great for paid tool, Bitwarden good free open source alternative for password managers).
For other folks facing this problem, you'll have records within GoDaddy that you need to remove the DNS record that allows for a subdomain on "ftp" or any other subdomain you don't necessarily own. Before that, in order to gain access to your search console and remove other members you can add a TXT record to verify your ownership and then remove the bad actors. They won't be able to do HTML verification after you verify with DNS, remove, and then delete the subdomain record.
I'm working with a merchant who had this happen where Shopify does not have access/ability to create records and we've done all authentication manually (recommended because it works better anyways). This seems to be an issue with GoDaddy, not Shopify.
On the positive, Google views subdomains as separate entities so it's not likely that your primary URL property has been damaged but this is something you want to manage as quickly as possible.
If you don't have your primary property set up as a Domain property, would recommend that as well because you'll receive emails then whenever a new URL-prefix property is created.
I just want to share with everyone that apparently hijacking established Shopify domains is a "thing" in the Indonesian gambling scene in order to improve their SEO. They call it the "Shopify Method". They talk about it on Blackhatworld forums here and here. Given the prevalence of this occurring, more of us need to alert Shopify so that their security team can put a stop to this alarming practice.
Even Wired had an episode with the Indonesian gamblers taking over one of their subdomains last year. Read here.
Thank you! I'll try to alert Shopify as well.
Hi
a subdomain was taken over from an indonesian site for us also. Shopify Plus support just pushed the problem on us saying it was our dns issue. However, they allowed a shopify website to host a hacker and maliciously take over a domain. Shopify should not allow a subdomain to be added to a new store without authorisation of the domain owner. I believe everyone here should demand better support and security from a service we all pay a lot for. Google should ensure that tokens can be revoked by the domain admin, rather than the html snippet they use to authorise the domain which cannot be revoked. Two obvious failings.
I agree completely! I ended up adding the other prefixes of my site onto my google search console, inspected the page source and saw that it was in-fact a Shopify website. They did this with three different prefixes of my domain. Shopify took no accountability at all, kept blaming my dns and telling me to “be patient” even after I told them it was through Shopify. I have spent over a week now dealing with this, and cleaning it up. I’ve also had to individually submit each page onto google search console for the pages to be removed.
In case anyone in future or past still facing this kind of issue, here is the solution:
<meta content='google-site-verification=yh1rFkJx8lErpIPigRyQM6GU3_EMzZmY5RHAo1qQZEE' />
This or similar code is automatically added to your website (document) on page load, it usually added because of an extra "site owner" added in your google search console. And google search console doesn't let you remove ownership of that extra or stranger owner email unless you delete above code from your website.
Here is what starts the complete process.
What adds above code automatically is a link tag here inside 'theme.liquid' file:
<link rel="preconnect" href="https://cdn.shopify.com">
This code above start the process. but it's a main part of your shopify store because verifies your ownership and page redirects that shopify has - backend stuff - this is not the problem here.
Go to your domain provider e.g godaddy, namecheap, or any other:
There go to dns records you will see a TXT record named - in my case - google-site-verification=yh1rFkJx8lErpIPigRyQM6GU3_EMzZmY5RHAo1qQZEE
You just need to remove that and then try to remove owner from search console, it will be done after 5-6 minutes wait at most..
Simple Steps
1. Go to Godaddy or any other domain provider you're using.
2. remove TXT record you have ownership of - above image shows example of record added (match it first and then delete)
3. try now to delete ownership from google search console. it will be done
Hey Community! As the holiday season unfolds, we want to extend heartfelt thanks to a...
By JasonH Dec 6, 2024Dropshipping, a high-growth, $226 billion-dollar industry, remains a highly dynamic bus...
By JasonH Nov 27, 2024Hey Community! It’s time to share some appreciation and celebrate what we have accomplis...
By JasonH Nov 14, 2024