[edsrzf]

I find it bizarre that urlscan.io displays recent scans from paying customers. I assume GitHub is large enough that they have to pay, anyway. If they're not, who is?

[Shank]

From the URLscan pricing page [0], it looks like each plan has a tier of "private", "unlisted", and "public" scans. It looks like you're somewhat incentivized to just publicize all scans because that's the most economical. Based on what GitHub's email said, they've opted to scan things in public, probably assuming that the repos are public anyways. It looks like this assumption was a poor one to make, in this case.

[0]: https://urlscan.io/pricing/

[jkingsman]

Oh man I thought this was gonna be just showing the TLD or something. There is a scrolling list of scans, down to the exact HTTP transactions. Just watched an OAuth grant roll by in plaintext. Yikes.

[warp]

I saw an authenticated (!) zoom invitation, yikes indeed.

[eproxus]

There are also screenshots on every scan page, for example unsubscribe links where the email is visible.

This site must be a treasure trove for spam harvesters.

[wrs]

When you run a scan you specify whether it’s public, unlisted, or private. Can someone here explain the utility of non-private scans? (The urlscan.io folks apparently think it’s too obvious to explain.)