Shopify's myshopify.com gap exposes merchants to unstoppable bot floods
A Shopify merchant traced 500+ fake carts per hour to a subdomain Shopify controls, exposing a structural gap that custom WAF rules and Cloudflare cannot close.
Retail
A Shopify merchant running a client store discovered this week that the platform's own subdomain architecture can render an entire stack of third-party bot defences completely useless. The case, documented publicly in the r/shopify subreddit and amplified on LinkedIn, reveals a structural condition in how Shopify routes checkout traffic - one that has consequences extending well beyond a single store.
The incident began with an attack generating more than 500 fake cart additions per hour. According to the Reddit post by user DiscoverMyBusiness, the store was hit with a flood of abandoned checkouts carrying false names and addresses. The volume was severe enough to contaminate email marketing flows, bloat customer databases, and trigger abandoned cart sequences for contacts that were never real.
The defences that failed
The merchant's team deployed what would ordinarily be considered a comprehensive defensive configuration. According to the post, the steps taken included adding strict hCaptcha and reCAPTCHA controls specifically on the add-to-cart and checkout flows - not only on standard web forms. Premium Shopify bot protection apps were installed, configured to evaluate user behaviour rather than relying solely on IP address matching. Cloudflare was configured in Challenge Mode with aggressive rate-limiting applied to add-to-cart requests. Traffic from suspicious countries and autonomous system numbers (ASNs) was temporarily blocked at the network level. Out-of-stock products, which appeared to be the primary targets, were fully hidden from the storefront.
None of it worked. According to the post, an inspection of server logs eventually revealed why: "The bots were not hitting our main domain." The automated traffic was bypassing the merchant's primary domain entirely and sending requests directly to the store's myshopify.com subdomain - a subdomain that is hard-routed through Shopify's own Enterprise Cloudflare account and cannot be placed behind the merchant's own Cloudflare configuration.
This is not a minor technical edge case. Every Shopify store, regardless of which custom domain it uses, has a corresponding myshopify.com address assigned by default. Because Shopify controls the DNS and Cloudflare configuration for that subdomain, any WAF rules, rate limits, or IP blocks built inside a merchant's own Cloudflare account have no effect on traffic hitting that address. The merchant described the situation plainly: "You cant get access to shopify.domain. its owned by shopify."
Shopify's response and the one measure that held
The merchant escalated the issue to Shopify Support, explaining that malicious traffic was reaching checkout by exploiting a subdomain managed within Shopify's own infrastructure. According to the post, Shopify's response was that it could not help. No backend block was offered, and no custom WAF rule was applied to the subdomain on the merchant's behalf. A commenter identifying as a Shopify Plus merchant confirmed a similar experience: "Even before finding a solution we had spoken to Shopify who acknowledged the issue but refused to do anything about it. They said we should just delete the spam customers as soon as they came in."
A separate commenter identifying as a Shopify Expert described receiving 50,000 sessions in a single day from China and having set up security rules blocking a large list of ASNs through a paid Cloudflare Pro plan - yet still being bypassed via the myshopify.com URL. "Until Shopify provide a way where we can put our myshopify behind Cloudflare," the commenter wrote, "every store will continue to get botted, scraped and clones will always be made of websites."
The only measure that proved effective, according to DiscoverMyBusiness, was enabling mandatory customer account login before checkout. The setting is accessible in Shopify's admin panel under Settings > Checkout. Forcing that requirement means that the checkout flow - even when accessed directly through the myshopify.com subdomain - demands authenticated credentials before any cart action can proceed. According to the post: "This is the ONLY one helped we went into the settings and forced Customer Accounts Required for Checkout."
A conflict with Google Merchant Center policy
The mandatory login solution introduces a compliance tension that Krystal G., founder of an agentic commerce intelligence firm, surfaced in a LinkedIn post referencing the Reddit thread. Forcing account creation before checkout conflicts with Google Merchant Center's checkout requirements, which explicitly state that guest checkout must remain available.
According to Google's Merchant Center help documentation on checkout requirements: "Customers on your website can checkout as guests or verify their information via a mobile or desktop one-time passcode." The same documentation states that merchants may require account creation, but "the account signup must be straightforward" - meaning the account must be free and must not require an app download or device change. However, the broader policy intent, as noted by Emmanuel Flossie - a Google Shopping Specialist and Google Ads Diamond Product Expert - in a comment on the LinkedIn thread, is that guest checkout must remain accessible.
This creates a practical bind. A merchant defending against bot floods through mandatory login may be placing their product listings at risk of disapproval under Google's Shopping ads policies. According to the same policy documentation, "failure to comply with Shopping ads policies can result in your ads and listings being disapproved or your account being suspended." The policy specifically lists the checkout page, shopping cart, and terms and conditions among pages that must be accessible in the same language as the product feed, implying those pages must be reachable without authentication barriers beyond a simple one-time passcode.
The Google Merchant Center documentation also states that merchants must "ensure that the product availability in your product data matches the availability on your landing page and checkout pages" and that "customers should be able to add in stock products to their cart and finalize their purchase." Whether a mandatory login screen satisfies that accessibility standard is not addressed in the documentation reviewed. Separately, the documentation is firm that adding any fees at checkout that increase the total price - outside government-mandated charges - constitutes a policy violation. The pricing and availability consistency requirements remain in effect regardless of what security configuration a merchant applies at login.
What the bots are actually doing
Community members in the thread offered several explanations for the attack's purpose. One commenter describing a Shopify Expert flair explained the goal as scraping product listings to clone websites 1:1 for fraud. Another identified AI scraping and model training as the mechanism. A third noted: "Only happens since Shopify turned on their AI advertising." DiscoverMyBusiness confirmed the scraping explanation as the most consistent with what they observed in logs.
A commenter using the handle siterightaway described the scale of the broader problem: "The sheer scale of the current threat landscape is becoming absurd with intensity peaks hitting 205 million requests per second in recent recorded HTTP attacks." The figure, cited without a source in the thread, reflects a pattern visible across independent research. AI-driven bot traffic across approximately 200 retail and e-commerce websites increased 5.4 times during 2025, with the index moving from a baseline of 100 in the first quarter to roughly 640 by the fourth quarter, according to Botify analysis cited in a March 2026 report from Retail Economics, AWS, Botify, and DataDome.
The same report found that 79.7% of the 698,214 live websites analysed did not block or challenge a spoofed ChatGPT user-agent, and 79.2% of those returned a 200 OK response - meaning they admitted the spoofed agent without challenge.
Bot fraud is worsening industry-wide
The Shopify incident sits inside a broader surge in automated abuse. Bot fraud increased 101% year-over-year in 2024, with 16% of that growth stemming from bots linked to AI tools, according to DoubleVerify analysis published in July 2025. Major verification systems faced scrutiny after research showed approximately 40% of web traffic consists of fake users or computerised bots.
Cloudflare partnered with Visa and Mastercard in October 2025 to develop security protocols for automated commerce, attempting to create cryptographic authentication that distinguishes legitimate AI shopping agents from malicious bots. The system uses HTTP Message Signatures with public key cryptography - an approach designed specifically because traditional IP-based and user-agent-based identification is too easily spoofed. Yet that infrastructure addresses agent-level authentication at a protocol layer that is far upstream from the subdomain routing problem Shopify merchants face today.
Amazon and Shopify collectively control more than 50% of the US ecommerce market. Both platforms have faced pressure over how they handle bot traffic, with Amazon opting to block AI crawlers from major technology companies outright in August 2025, while Shopify introduced warning language in robots.txt files. The Reddit thread suggests that the warning language approach has not been effective at stopping malicious automation targeting the myshopify.com endpoint.
The agentic commerce context
The timing of the incident coincides with a period of rapid infrastructure build-out around AI-mediated commerce. Google launched the Universal Commerce Protocol on January 11, 2026, establishing open-source technical standards for AI agents to execute purchases across retail platforms. Shopify is one of the named partners in that rollout. Microsoft launched Copilot Checkout with PayPal, Shopify, and Stripe integration on January 8, 2026, with the announcement claiming journeys through Copilot produce 53% more purchases within 30 minutes.
These integrations require checkout to be accessible and structurally sound. Merchants who lock their checkout behind mandatory authentication in response to bot attacks may find themselves excluded from, or non-compliant with, the growing range of AI commerce channels that depend on open checkout access. The requirement for human-in-the-loop verification - the logic behind why mandatory login stopped the bots - is simultaneously the quality that makes a storefront incompatible with fully autonomous agent purchasing.
Krystal G. summarised the tension directly in the LinkedIn post: "Agentic commerce will not scale if we do not address the bot issue. Adversarial commerce will be from both the agent side and merchants who learn to game the system."
The comment from Kamran Javeed, Head of Ecommerce at a direct-to-consumer brand, in the same LinkedIn thread, raised the conversion impact: "Forcing customers for creating accounts is looking a good solution. What's your opinion on impact coming on sales? I think Decision making time can increase & customers can abandon checkout." The tradeoff is real. Shopify's own support structure has already drawn criticism from merchants who found that reaching a human agent to resolve technical issues was itself nearly impossible, given the platform's shift to AI-first support for non-Plus plans.
What merchants are doing in practice
Several responses in the thread described workarounds that do not require mandatory login. One merchant described delaying payment capture until the moment of shipping for handmade goods with a 1-3 day production window, eliminating any incentive for bots running card testing attacks. Another described using Shopify Flow automation to tag and delete inauthentic customer accounts before they entered downstream marketing integrations - though at 50,000 checkouts per cycle, that approach becomes operationally unsustainable quickly.
A commenter identified as paying for third-party bot blocking apps on a monthly subscription reported that the issue was "completely fixed," though did not name the specific product. Another confirmed that moving inventory out of stock entirely removed the targeted products from bot activity, consistent with the original DiscoverMyBusiness report that out-of-stock items were the primary target.
The underlying problem - that the myshopify.com subdomain cannot be placed behind a merchant's own security configuration - remains unresolved. According to the Shopify Expert commenter, it "is something on a deeper level that the backend Shopify engineering team need to resolve." The commenter added that Shopify Plus merchants receive meaningfully better bot protection by default, suggesting the platform already differentiates its infrastructure security by plan tier. For merchants on standard plans, the gap is currently filled only by mandatory login - or not filled at all.
Timeline
- July 2024 - HUMAN Security reports that 80% of companies on its platform block known large language model user-agents, reflecting broad concern about AI bot traffic across retail.
- August 21, 2025 - Amazon updates its robots.txt file to block AI bots from OpenAI, Anthropic, Meta, Google, and Huawei, protecting its marketplace from third-party agent access. Coverage on PPC Land
- September 29, 2025 - OpenAI and Stripe launch the Agentic Commerce Protocol, enabling purchases from Shopify merchants directly through ChatGPT conversations.
- October 24, 2025 - Cloudflare announces partnerships with Visa and Mastercard for bot and agent authentication protocols using cryptographic verification. Coverage on PPC Land
- Q4 2025 - AI-driven bot traffic across approximately 200 retail sites reaches 5.4x the Q1 2025 baseline, according to Botify analysis. Coverage on PPC Land
- January 8, 2026 - Microsoft launches Copilot Checkout with Shopify, PayPal, and Stripe integration. Coverage on PPC Land
- January 11, 2026 - Google launches the Universal Commerce Protocol with Shopify among the founding partners. Coverage on PPC Land
- February 2026 - Bot fraud documented as having increased 101% year-over-year in 2024, per DoubleVerify. Coverage on PPC Land
- March 2026 - Botify, AWS, Retail Economics, and DataDome publish retail bot traffic report. Coverage on PPC Land
- March 2026 - Google Merchant Center tightens out-of-stock product page requirements, adding compliance weight to how merchants handle product availability at checkout. Coverage on PPC Land
- April 2026 - Shopify merchant DiscoverMyBusiness publishes detailed Reddit post documenting a 500+ fake cart-per-hour bot attack traced to the myshopify.com subdomain, with the only effective countermeasure being mandatory account login before checkout.
Summary
Who: A Shopify merchant identified on Reddit as DiscoverMyBusiness, running a client store, discovered and documented the vulnerability. Krystal G., founder of an agentic commerce intelligence firm, amplified the case on LinkedIn. Emmanuel Flossie, a Google Shopping Specialist and Google Ads Diamond Product Expert, flagged the conflict with Google Merchant Center policy in the comments.
What: A bot attack generating more than 500 fake cart additions per hour bypassed every standard defence - including hCaptcha, reCAPTCHA, Cloudflare Challenge Mode, ASN blocking, and premium bot protection apps - by targeting the store's myshopify.com subdomain directly. Because Shopify controls the DNS and Cloudflare configuration for that subdomain, no merchant-side WAF rule applies. The only configuration that stopped the bots was enabling mandatory customer account login before checkout, which conflicts with Google Merchant Center's guest checkout requirement.
When: The attack and subsequent investigation were documented in a Reddit post published approximately six days before April 26, 2026. The LinkedIn discussion referencing the case was published approximately one day before April 26, 2026.
Where: The attack targeted a Shopify-hosted store accessible through both a custom domain and its default myshopify.com subdomain. The vulnerability is structural across all Shopify plans, with Plus merchants receiving meaningfully better built-in protection than standard plan merchants according to community reporting.
Why: The myshopify.com subdomain routes through Shopify's Enterprise Cloudflare account, not the merchant's own. Any security rules a merchant builds inside their own Cloudflare account apply only to traffic hitting their custom domain. Bots that bypass the custom domain and connect directly to the myshopify.com endpoint face no merchant-side filtering. The root cause is an architectural separation between the infrastructure Shopify controls and the infrastructure merchants can configure.