On June 20, someone placed an order on our store for a BioLite FirePit+ and a TOPS Hammer Hawk. Two solid pieces of gear, $819.95 before shipping. They paid $72.10. Not because we ran a sale. Because a bot found a test coupon code we forgot to delete, and that code knocked the entire $819.95 off the order.
We fulfilled it. We shipped it. UPS delivered it five days later. By the time we connected the dots, the gear was already gone.
If you run a store, treat this as your reminder to delete test coupon codes the second you are done with them. There are people running bots that exist to find exactly this kind of mistake.
What actually happened?
A leftover test discount code zeroed out a real order, and the product shipped before we caught it.
Here is the full picture. We had set up a temporary discount code to test something on the backend. The rule of good housekeeping is that you delete a code like that the moment the test is finished. We did not do it fast enough. Within that window, an order came through: a BioLite FirePit+ at $399.95 and a TOPS Hammer Hawk with TOPS Backup at $420.00, for a subtotal of $819.95. The discount wiped all $819.95 off. The buyer paid $72.10, which was nothing but shipping ($67.38) and tax ($4.72).
The order went straight into fulfillment, shipped UPS, and was delivered on June 25. We essentially mailed someone two pieces of gear for the cost of postage.
How do bots find your test coupon codes?
They do not sit there guessing one site at a time. They run automated scripts that throw thousands of common code patterns at your checkout until one of them works.
This has a name. Security researchers call it coupon glittering: bots hunting for valid or leftover promo codes across many sites, then applying them at scale. The patterns they try first are the obvious ones. TEST. SAVE10. WELCOME. The brand name plus a number. If your code looks like anything a human would casually type, it is on their list. They also scrape site code and ride along on browser coupon extensions. Once a code works on your store, it keeps working until you kill it.
Why is one forgotten test code so dangerous?
Because a test code usually has none of the guardrails a real promo has.
A real welcome offer is built carefully. Ten percent off, one order per customer, an expiration date, maybe some product exclusions. A code you whipped up to test something on a Tuesday afternoon often has none of that. No expiration. No usage cap. No per-customer limit. So a single sloppy code can take 100 percent off, an unlimited number of times, and every one of those orders flows into fulfillment before a human ever looks at it. This is not a rare problem either. Industry research suggests the large majority of retailers have dealt with some form of promo abuse in the past year.
These are not shoppers. They are resellers.
The account that hit us was not a customer who got lucky at checkout. It traced back to a reseller that turns around and lists the same gear on eBay.
That is the part worth understanding. The bots are not run by bargain hunters. They are run by operations that get the product for the price of shipping and flip it for full margin. And to be clear about what that is: using a stolen, cloned, or unauthorized code to take products is fraud. Reselling those products does not launder it into something legitimate. It is theft, not a clever loophole.
How do you prevent coupon code abuse?
Start by assuming someone is always testing your door to see if you left it unlocked, then close the obvious gaps. A few that would have saved us:
-
Delete or expire every test code the moment the test ends. This is the one that got us.
-
Never use a guessable format like TEST or SAVE10 or your brand name plus 10. Use random alphanumeric codes long enough that a bot cannot stumble onto them.
-
Set a usage limit and a per-customer limit on every code you create, including internal ones.
-
Add an expiration date to everything, even a code you only plan to use for ten minutes.
-
Use single-use, uniquely generated codes for campaigns where you can, so there is nothing reusable to share or hammer.
-
Watch for redemption spikes, especially at odd hours, and set an alert so a code going wild wakes someone up.
-
On Shopify, lean on server-side eligibility and customer allowlists so that even a leaked code still will not qualify a random account.
What we changed
The fix was not complicated, which is the frustrating part. Every test code now gets an expiration when it is created and gets deleted the second we confirm the test worked. No code lives a minute longer than it needs to.
The lesson cost us two pieces of gear and the shipping to hand-deliver them to someone flipping our product. Cheap tuition, but tuition.
Interested in learning more?
If you like the operator side of running a store, a couple of other pieces worth your time: How We Built a 7-Figure Whatnot Channel and From Cost Line to Profit Line.
Frequently asked questions
What is a test coupon code?
A test coupon code is a temporary discount code a store creates to confirm that a promotion, integration, or checkout flow works correctly. It is meant to be deleted as soon as the test is finished.
Can bots really guess discount codes?
Yes. Bots run automated scripts that try thousands of common code patterns at checkout, a tactic often called coupon glittering. If your code uses a predictable format or was left active, they will eventually land on it.
How fast should you delete a test coupon code?
Immediately after the test is done. The safest habit is to add an expiration to the code when you create it and delete it the moment you confirm the test worked, so a forgotten code cannot sit live for hours.
What is coupon glittering?
Coupon glittering is when fraudsters use bots to hunt for valid or leftover promo codes across many websites, then apply them at scale to get unauthorized discounts or free products.
How do you prevent coupon code abuse on Shopify?
Use random, hard to guess codes, set usage and per-customer limits, add expiration dates, delete test codes right away, monitor for sudden redemption spikes, and use server-side eligibility rules so leaked codes still will not qualify random accounts.
Is reselling products bought with an abused coupon illegal?
Using stolen, cloned, or unauthorized coupon codes to obtain products is considered fraud, and reselling those products does not make it legitimate. It is theft, not a loophole.
Final thoughts
The mistake here was not some sophisticated breach. It was housekeeping. A test code that should have lived for ten minutes lived a few hours too long, and a bot was waiting for exactly that.
The internet has automated the job of finding your small mistakes. So the move is to stop leaving them lying around. Delete your test coupon codes. Put an expiration on everything. And assume someone is always checking the door to see if you left it unlocked.


























