Getting bug report emails that are probably a scam

Shopify Discussion

Topic summary

A store owner received an email from a Gmail account claiming to have discovered a security vulnerability related to session invalidation during password resets. The report alleges that when a password is reset, existing logged-in sessions remain active instead of being terminated, potentially allowing unauthorized access.

Community consensus confirms this is a scam:

  • Legitimate Shopify communications only come from official domains (@shopify.com, @email.shopify.com, @em.shopify.com, @shopify-billpay.melio.com)
  • Emails from public services like Gmail are not from Shopify and should be treated as phishing attempts
  • Similar scam tactics frequently appear targeting store owners with fake compliance, trademark, or security issues

Regarding the reported vulnerability:
The technical claim itself is considered nonsense designed to gain site access. While some scams may reference real general issues to appear credible, this particular report is part of a known pattern where scammers pose as security researchers to extract money without providing legitimate services.

Summarized with AI on October 27. AI used: claude-sonnet-4-5-20250929.
1

We got this email from an Gmail account and then follow ups. I’m sure it’s a scam but is there a bug or anything to worry about?

Vulnerability: Failure to invalidate session on forget password> > I have observed that when we request a forgot password link it updates the session instead of expiration. If an account is logged in some account and the password reset link is used the other account will get updated but not expired.> > Steps to reproduce:> 1. Request a forgot password link.> 2. Now login in another browser and then use the password reset link in another browser.> 3. You will notice that the password will be changed successfully and the other browser will still be active with the account you opened in it.> > Recommendations:> It should expire immediately when the password is changed.> > Impact:> If some account is logged in in some browser it will not be logged out from that browser and will be logged in and can be used for malicious activities.> > Thank you for your attention to this matter, and we look forward to assisting you in resolving this issue promptly. I represent a team of penetration testing service providers. We specialize in identifying and addressing potential security vulnerabilities to help ensure the integrity and safety of online platforms.

2

Hi @lightandspace

Welcome to the community. And yes if it is a Gmail, it is a scam, no matter what they say and how plausible it sounds.

https://help.shopify.com/en/manual/privacy-and-security/account-security/phishing#recognizing-legiti…

Recognizing legitimate Shopify emails

Shopify will only send emails from official domains such as @shopify.com, @email.shopify.com, @em.shopify.com, and @shopify-billpay.melio.com. Emails from public email services such as Gmail, Yahoo, Apple mail, or Hotmail aren’t from Shopify and should be treated as potential phishing attempts.

Now if you do search here or on Google you could find hundreds of topics with the same scam tactics, trademark, compliance, performance, accessibility rules and so on. There is also a few topics that in detail shows full path that scammers take until they get the money and do nothing.

1 Like
3

Thanks Laza. I realize it is not official Shopify email, I meant is that vulnerability a real thing or just nonsense for them to try to get access to the site?

1 Like
4

Just nonsense, like you say. But some of the scams use real issues in general, that might happen and then if it pass it pass.