DIGITAL EXPOSURE REPORT

Target: security@shopify.com / shopify.com

Assessment date: 2026-03-25 05:54 UTC | osint-exposure-toolkit v1.0.0

Passive OSINT | Authorized Assessment

Executive Summary

63 /100 HIGH EXPOSURE
Credential Leaks4
GitHub Secrets0
Social Profiles Exposed5
Email Spoofability2/10
Shodan Open Ports13

Severity Breakdown

CRITICAL
1
HIGH
1
MEDIUM
1
LOW
4
INFO
0

Credential Leaks HIBP (Demo)

Name Domain Breach Date Data Classes Verified Records

GitHub Exposure

Found 10 repositories (0 active in last 30 days). Secrets detected: 0

Repositories

Repository Language Stars Last Pushed Active (≤30d) Risk
amazon-cloudfront-developer-guide 0 2020-12-18T18:21:33Z NO Low
awesome 0 2020-02-04T18:48:53Z NO Low
cmp JavaScript 0 2021-10-01T18:13:46Z NO Low
COVID-19 0 2020-04-13T02:44:39Z NO Low
distancing-data HTML 1 2023-05-10T06:30:00Z NO Low
flow-typed JavaScript 0 2018-11-29T17:24:23Z NO Low
grouch 0 2018-02-15T05:33:34Z NO Low
headerbid-expert JavaScript 0 2019-01-24T03:07:25Z NO Low
Jcrop JavaScript 0 2013-07-18T00:38:30Z NO Low
jquery-modules JavaScript 0 2012-05-29T23:46:44Z NO Low

Secrets

No secrets detected in scanned repositories.

Email Intelligence

Email Addresssecurity@shopify.com
Domainshopify.com
Format Valid✓ Valid
Mail ProviderGoogle Workspace
Is DisposableNo
MX Recordsalt1.aspmx.l.google.com, alt2.aspmx.l.google.com, alt3.aspmx.l.google.com, alt4.aspmx.l.google.com, aspmx.l.google.com
SMTP Verified VERIFIED
SPF Present✓ Present

Social Footprint

Username variants checked: tobi, security

GitHub EXPOSED GitLab EXPOSED NPM UNKNOWN Access restricted (HTTP 403). PyPI UNKNOWN Challenge or anti-bot page detected on HTTP 200 response. Docker Hub NOT_FOUND Profile-not-found markers detected in page content. HackerOne EXPOSED Bugcrowd EXPOSED LinkedIn UNKNOWN LinkedIn anti-bot response (HTTP 999) blocked passive verification; manual browser verification is required. Dev.to EXPOSED Twitter/X UNKNOWN Network timeout/client error while probing profile URL. Medium UNKNOWN Access restricted (HTTP 403). HackerNews EXPOSED Keybase EXPOSED Gravatar NOT_FOUND HTTP 404 Not Found.

Positive Signals

HackerOne — Security Researcher — positive signal.

Bugcrowd — Security Researcher — positive signal.

5 platform(s) exposed (2 positive security signals excluded)

Paste Site Exposure

⚠️ Email found in 2 public paste(s).
SourceIDTitleDateEmail Count
Pastebin Yh7KxP1Q corp dump sample 2024-01-20T11:30:00Z 1
Pastebin M9kq2ZaR credentials list 2024-08-04T16:05:00Z 1

JS File Secrets

Scanned 0 JS file(s).

No secrets detected in scanned JS files.

Email Authentication

RecordStatusDetail
SPF MISSING SOFTFAIL
DMARC REJECT reject | rua=mailto:dmarc-aggregate@shopify.com
DKIM FOUND 2 selector(s) found
MTA-STS MISSING MISSING

LOW SPOOFING RISK (2/10)

Document Metadata

Found 0 document(s), scanned 0.

No metadata leaks detected in scanned documents.

Google Dork Recipe

Credential & Token Exposure 
site:pastebin.com "security@shopify.com"
site:github.com "security@shopify.com" (password OR "api key" OR token)
site:github.com "shopify.com" (password OR secret OR api_key OR access_token)
site:gitlab.com "shopify.com" (password OR secret OR token)
site:stackoverflow.com "security@shopify.com" "api key"

Live hits detected on DuckDuckGo

Paste this query into Google to manually verify.

Exposed Configs & Env Files 
site:shopify.com (filetype:env OR inurl:.env)
site:shopify.com (filetype:yaml OR filetype:yml) (password OR token OR secret)
site:shopify.com (filetype:json OR filetype:ini) (apikey OR auth OR credential)
site:github.com "shopify.com" filename:.env
site:github.com "shopify.com" (filename:config.yml OR filename:settings.py) (secret OR token)

Live hits detected on DuckDuckGo

Paste this query into Google to manually verify.

Backups & Archives 
site:shopify.com (ext:bak OR ext:old OR ext:backup OR ext:tmp)
site:shopify.com (ext:zip OR ext:tar OR ext:gz OR ext:7z) (backup OR database)
site:shopify.com intitle:"index of" (backup OR dump OR archive)
site:shopify.com (inurl:backup OR inurl:backups OR inurl:dump)

Not checked (query-check disabled, capped by limit, or rate blocked)

Paste this query into Google to manually verify.

Cloud Storage & Buckets 
site:s3.amazonaws.com "shopify.com"
site:s3.amazonaws.com "security@shopify.com"
site:blob.core.windows.net "shopify.com"
site:storage.googleapis.com "shopify.com"
site:digitaloceanspaces.com "shopify.com"

Not checked (query-check disabled, capped by limit, or rate blocked)

Paste this query into Google to manually verify.

Admin & Management Surfaces 
site:shopify.com (inurl:admin OR inurl:login OR inurl:dashboard)
site:shopify.com (inurl:wp-admin OR inurl:phpmyadmin OR inurl:cpanel)
site:shopify.com (inurl:jenkins OR inurl:grafana OR inurl:kibana)
site:shopify.com (inurl:swagger OR inurl:api-docs OR inurl:redoc)

Not checked (query-check disabled, capped by limit, or rate blocked)

Paste this query into Google to manually verify.

Error, Debug & Log Leakage 
site:shopify.com ("SQL syntax" OR "stack trace" OR "Traceback")
site:shopify.com ("Exception" OR "Unhandled" OR "Fatal error")
site:shopify.com "Index of /" (inurl:logs OR inurl:debug)
site:shopify.com (filetype:log OR filetype:txt) (error OR exception OR warning)

Not checked (query-check disabled, capped by limit, or rate blocked)

Paste this query into Google to manually verify.

Documents & Sensitive Terms 
site:shopify.com (ext:pdf OR ext:doc OR ext:docx OR ext:xls OR ext:csv)
site:shopify.com filetype:pdf ("confidential" OR "internal use" OR "do not distribute")
site:shopify.com ("private key" OR "internal only" OR "restricted") filetype:pdf
site:shopify.com filetype:xlsx (salary OR payroll OR invoice)

Not checked (query-check disabled, capped by limit, or rate blocked)

Paste this query into Google to manually verify.

CI/CD & DevOps Exposure 
site:shopify.com (.gitlab-ci.yml OR Jenkinsfile OR docker-compose.yml)
site:github.com "shopify.com" ("workflow" OR "actions") (secret OR token)
site:shopify.com (inurl:.git OR inurl:.svn)
site:shopify.com ("npmrc" OR "pypirc" OR "pip.conf") (token OR password)

Not checked (query-check disabled, capped by limit, or rate blocked)

Paste this query into Google to manually verify.

These are passive reconnaissance queries only. Results are informational. Always obtain authorization before investigating any target.

Shodan Recon

IP AddressOrg / ISPCountryOpen PortsCVEsSeverity
23.227.38.33 Shopify, Inc. Canada 80, 443, 2052, 2053, 2082, 2083, 2086, 2087, 2095, 2096, 8080, 8443, 8880 MEDIUM

Risk Summary & Recommendations

IDCategoryRiskScore ImpactRecommendation
CRED-001 Credential Leak CRITICAL 30 Reset passwords and enforce MFA for all affected accounts.
EMAIL-001 Email Intelligence LOW 3 Use monitored inboxes, anti-abuse rules, and stricter onboarding controls.
SOC-001 Social Footprint MEDIUM 5 Review profile privacy and remove unnecessary public identifiers.
PASTE-001 Paste Exposure HIGH 15 Perform credential rotation and monitor paste sites continuously.
DNS-001 Email Authentication LOW 4 Enforce SPF -all, DMARC reject/quarantine, and operational DKIM selectors.
DORK-001 Search Engine Exposure LOW 2 Review indexed content and harden access/robots directives where appropriate.
SHODAN-001 Host & Service Exposure LOW 4 Restrict exposed management/database ports to private networks and review public service hardening.

Appendix

This report was generated passively using publicly available data sources. No unauthorized access was performed. Assessment conducted by Sagar Biswas.