You Changed the Password. You Forgot Everything Else: 200 GoPhish Panels Exposed | Intercept Cell

We found 200 GoPhish phishing platforms indexed on Shodan and probed all of them. None were running default credentials. But the operators left everything else exposed: active credential-harvesting pages, co-hosted business infrastructure, open databases, Docker admin panels, RDP endpoints, and full mail servers sitting alongside their phishing tools. You changed the password. You forgot everything else.

GoPhish is the most popular open-source phishing framework. It is used by red teams, security awareness trainers, and threat actors alike. The admin panel is designed to run on a private network. We found 200 of them indexed on the public internet via Shodan, with their login pages accessible to anyone. We probed every one. We queried Shodan for http.title:"Gophish - Login" and pulled 200 unique panels across two pages of results. 134 were still alive with accessible login pages. The geographic distribution skews heavily toward the United States (38 panels), followed by Germany (16), India (7), France (6), the Netherlands (6), Indonesia (6), and Canada (6). The remaining panels are scattered across 23 additional countries. DigitalOcean hosts the most GoPhish infrastructure (25 panels), followed by Google Cloud (21), Microsoft Azure (13), Hetzner (6), Linode (5), and Oracle Cloud (4). The majority of operators chose major cloud providers with free tier or low-cost compute options. The admin panel port distribution tells its own story: 42 operators left the admin panel on GoPhish's default port 3333, meaning Shodan trivially fingerprints it. 8 panels run the admin interface over plaintext HTTP on port 80, transmitting admin credentials in cleartext. 3 operators chose port 4444, the default Metasploit handler port, which may indicate broader offensive tooling on the same host.