growth-cro

One Promo Code Cost a Shopify Store €18,000 in a Weekend

One Promo Code Cost a Shopify Store €18,000 in a Weekend
The 48-hour window between a leaked promo code and a weekend of lost margin.

A Shopify merchant posted on r/ecommerce this week that a single promo code, meant for a small segment, spread outside the intended list and drained roughly €18,000 in 48 hours. The failure mode was not the discount amount. It was Shopify's default "limit one per customer," which validates on email only and does not block Gmail plus-aliases, period variants, or guest checkout with a fresh address.

The original post is anonymous, which is useful because the specifics do not matter. A similar thing will happen to a similar merchant next weekend. What is worth looking at is the set of platform defaults that made €18,000 of damage possible from a single code.

How a €18,000 weekend actually adds up

The arithmetic is not dramatic. It is just fast. Assume an average order value around €85, which is typical for a Shopify apparel or home goods store running a segment promo. At a 30% off code, each fraudulent redemption costs roughly €25 in margin. At a 40% off code stacked with an auto-applied 10% cart incentive, the effective hit climbs to around €40 per order.

That means €18,000 of damage only needs somewhere between 450 and 700 bad redemptions over a weekend. For a store already pushing traffic to a holiday sale, 450 fraudulent orders can hide inside a 2x traffic spike without anyone noticing. The post-mortem only catches it Monday when the refund queue, the margin report, and the repeat-address flags all hit together. By then the code is already on three coupon sites.

The reason the number feels shocking is that store owners benchmark it against the discount percentage, not the volume of bad redemptions the current setup allows. The discount is not the leak. The cap enforcement is.

"One per customer" is an email check, not a customer check

Shopify's combining-discounts documentation treats the "limit one per customer" toggle as a customer-level cap. What it actually does is match on an email address.

That sounds fine until you look at what Gmail treats as equivalent. The plus-sign format (user+anything@gmail.com) and internal periods (u.s.er@gmail.com) all route to the same inbox but register as different values at checkout. Growth Suite's analysis calls this out directly: Shopify does not use IP address validation for discount limits. Email is the entire line of defense, and email is trivially multiplied on the abuser's side.

Guest checkout widens the hole. If accounts are not required, the cap is enforced against whatever string the shopper types into the email field. On Black Friday this feels like a small risk. On any weekend where a code escapes a segment, it stops feeling small. One motivated shopper on a laptop can mint twenty "unique" customers before coffee.

Why codes leak in the first place

Codes do not stay in segments. LoudCrowd's breakdown of coupon fraud tactics explains the pipeline: browser extensions like Honey, RetailMeNot, and Rakuten scrape active codes during real checkouts, then broadcast them to their own user bases. Honey alone has roughly 17 million active users, per Growth Suite's figures. A code entered by one shopper with an extension installed is, in practical terms, a public code.

The same data pins down the timeline most store owners do not think about: the average code lifespan from first public appearance to wide circulation is roughly 48 hours, and around 73% of codes end up on an aggregator within a week. That matches the Reddit post's window almost exactly. Two days, one leaked code, a lot of lost margin.

Three settings that do most of the work

If you ship anything with a discount code from here on out, these are the low-effort changes.

1. Unique, single-use codes instead of a shared string. Social Snowball's prevention guide leans on this as the base layer: generate a unique code per recipient, each redeemable once. A home goods brand called Tumble ran the playbook and claimed 22.86x ROI with a 4% lift in total revenue. Those numbers come from a vendor case study, so discount them accordingly, but the mechanic is real. A code that expires on first use cannot be reposted to an aggregator in any meaningful way.

2. Disable combinable discounts by default. Shopify's Winter '26 update tightened the logic around stacking, per Seguno's walkthrough, and the default stance should be "off." Combinable discounts are where the compounding losses come from. A code that gives 20% becomes a code that gives 50% once it chains with an automatic discount and a cart-abandonment recovery offer. That math is what turns a leak into a weekend blowup.

3. Cap total uses, not just per-customer uses. A global cap of, say, 200 redemptions for a segment-targeted campaign is the brake that actually holds. The per-customer limit is porous, as covered above, but a global cap hits regardless of how many email variants the abuser invents. Pair it with an expiration date measured in hours, not days.

None of this is new advice. It is also advice that a large share of Shopify stores quietly do not follow, because setting up one shared code is faster than generating a unique code list and wiring the send.

The Cloudflare layer most stores ignore

Practical Ecommerce's walkthrough of how one merchant restricts coupon abuse adds a layer most Shopify stores miss: IP-based rate limiting at the edge. Using Cloudflare's Web Application Firewall to throttle repeated account creation or repeated checkout attempts from the same IP blocks the cheapest flavor of abuse, which is one laptop creating ten emails.

This will not stop a determined abuser on a VPN rotation. It does stop the shrug-and-try-it bystander who just saw a code on Reddit. From what I have seen, shrug-and-try-it is where most of the loss actually comes from. The determined abuser is rare. The opportunist is every third cart.

The affiliate trap that compounds the damage

There is one more category of loss that looks like discount abuse but is really attribution theft. LoudCrowd notes that coupon extensions inject themselves into the checkout flow right before payment, which means a shopper who came in through a creator link can have that attribution overwritten by Honey on the last click. The merchant pays the creator for the sale. The merchant also pays Honey for the same sale. Two affiliate commissions, one customer, one discount.

On paper, that sounds like a platform problem. And sometimes it is. But every hour spent tightening your own discount hygiene is an hour not spent arguing with attribution vendors, which is roughly the correct trade.

For a related read, our earlier piece on how 49% of gift shoppers reach for AI before hitting a product page is worth pairing with this one. Both point at the same quiet shift: the surface where the first click happens is not the surface your store controls.

The part worth budgeting for

The €18,000 in the Reddit post is a small number in the scheme of a holiday season. The number that matters is the ratio between the effort to prevent it and the cost of it happening. Generating a unique-code list takes an hour. Disabling stacking takes a minute. Setting a global cap takes thirty seconds. The cumulative fix is under two hours of work per campaign.

I would not wait for a clean weekend to make the change. The next leaked code is already inside a browser extension somewhere. Whether it hits your store this weekend or next is mostly a function of which code your segment share happens to have.

Notice Me Senpai Editorial

Read next