WatchTowr Finds 80,000+ Exposed Credential Fragments on Online Code Formatters
WatchTowr Labs discovered over 80,000 saved JSON fragments on public online tools like JSONFormatter and CodeBeautify, leaking credentials and secrets from critical infrastructure organizations.
WatchTowr Labs has uncovered a massive inadvertent credential leak affecting thousands of organizations, after discovering over 80,000 saved JSON fragments on popular online code formatting tools such as JSONFormatter and CodeBeautify. The exposed data includes Active Directory credentials, cloud environment keys, database credentials, API tokens, SSH session recordings, and personally identifiable information (PII) from sectors including critical national infrastructure, finance, government, and healthcare.
The research, part of watchTowr's ongoing 'vs the Internet' series, focused on two widely used online formatters that allow users to beautify and share code snippets. These tools offer a 'save' feature that generates a semi-permanent, shareable link to the formatted content. By iterating through these saved fragments, watchTowr captured a dataset of over 80,000 JSON pieces and parsed them for secrets and credentials.
Among the thousands of secrets discovered were Active Directory credentials, code repository authentication keys, database credentials, LDAP configuration information, cloud environment keys, FTP credentials, CI/CD pipeline credentials, full sensitive API requests and responses, private keys, card payment gateway credentials, RTSP credentials, administrative JWT tokens, helpdesk API keys, meeting room API keys, and SSH session recordings. The PII exposed covered all types, including an entire export of credentials from someone's AWS Secrets Manager.
The affected organizations span critical national infrastructure, government, finance, insurance, banking, technology, cybersecurity, retail, aerospace, telecoms, healthcare, education, and travel. WatchTowr emphasized that the leak stems from developers and administrators pasting sensitive data into these online tools, which then store the formatted content on the platform's servers, making it accessible to anyone who discovers the link.
WatchTowr noted that the popularity of these tools is immense, with a typical visit to any tool homepage triggering over 500 web requests. The sole developer behind these tools benefits from affiliate marketing revenue. The researchers warned that if they could pull off this discovery with limited resources, anyone could, highlighting the urgent need for organizations to educate employees about the risks of using online formatters for sensitive data.
This incident underscores a broader pattern of inadvertent credential exposure through developer tools, similar to past leaks via GitHub repositories, Postman workspaces, and DockerHub containers. WatchTowr recommends that organizations implement strict policies against using online formatters for sensitive data and consider using offline tools or internal services instead. The full research details are available on watchTowr's blog.