Account security overview
To protect yourself from risk, learn about generating unique passwords for your accounts, as well as how to secure a compromised account and reset blacklisted credentials.
Generate unique passwords with a password vault
Many people use the same password for more than one account. Often they pair it with the same username or email address. Without unique passwords, if a username/password pair is exposed, then an attacker might gain access to another account that uses those credentials.
Using password vault software is a great way to generate and manage your passwords. When you use a password vault, you need to remember only the master key to the vault, and your other passwords can be autogenerated jumbles of letters, numbers, and symbols. Popular password vaults include LastPass, Dashlane, and 1password.
Defend against phishing
Phishing attacks try to fool you into installing malicious software on your device or giving up sensitive information. Learn how to protect yourself.
Turn on two-step authentication
You can enable two-step authentication for your Shopify account to reduce the likelihood that someone who has acquired your password will be able to cause any damage. Your staff members can set up two-step authentication for their accounts as well.
It's a good idea to use two-step authentication on your other accounts whenever possible. Major services that support two-step authentication include:
Secure a compromised account
If your account has been compromised, then take action to protect your data right away.
- Log in to the email account that you use to log in to Shopify and change the password.
- Log in to Shopify and change the password for your Shopify account. If you can't log in, then reset your password. If you don't receive a password reset email, then contact Shopify Support.
- Enable two-step authentication for extra security at login. If two-step authentication is already configured and an attacker was able to defeat it — for example, they stole your device — then change your device and set up two-step authentication again.
- Check your banking details for Shopify Payments and update them if necessary.
- Check and update your banking details for PayPal and any other payment providers you have configured.
- Review your general account settings to make sure all other information is correct.
- Follow government guides to protect your identity and sensitive information.
Reset blacklisted credentials
Because many people use the same password for more than one account and pair it with the same username or email address, if a username/password pair is exposed, then an attacker might gain access to other accounts that use the same credentials.
To reduce the risk of this happening to you, we obtain and analyze information from public data leaks. If your credentials are found in any of these leaks, then we lock your account. When you try to log in, you will see an error message until you reset your password to one that has not been compromised.
Suspicious login activity
To prevent Shopify account logins from attackers, Shopify's security systems detect and lock account access when unusual activity is detected. In these cases, you need to confirm your identity as part of the login process.
A six-digit code is sent to your login email which can be used to confirm your identity and complete the login.
On the Verify your identity page, enter the code sent to your email and click Login.
After you successfully confirm your identity, review the previous suspicious login information and indicate if the login was made by you or not by clicking Yes, this was me or No, this wasn't me.
If you click No, this wasn't me, then Shopify requires you to reset your password to keep your account safe before logging in to your account.