Mass Exposure of Credentials via Public Code Formatting Tools
Researchers from WatchTowr identified a significant security risk involving the public exposure of sensitive credentials and secrets through popular online code formatting tools, specifically JSONFormatter and CodeBeautify. These platforms, widely used by developers to format and share code, allow users to save their code snippets, which are then made accessible through a 'Recent Links' feature. Due to predictable URL structures and a lack of access controls, over 80,000 user pastes containing sensitive data—including Active Directory credentials, API keys, private keys, and configuration files—were found to be publicly accessible. The exposed data originated from organizations in critical sectors such as government, banking, healthcare, telecommunications, and cybersecurity.
The WatchTowr team demonstrated the real-world risk by planting canary tokens in these services, which were quickly accessed and used by unknown parties, confirming that malicious actors are actively scraping these sources for credentials. The incident highlights the dangers of uploading sensitive information to third-party web services without proper security controls and underscores the need for organizations to educate staff about the risks of using public tools for handling confidential data. The findings have prompted calls for both improved platform security and greater user awareness to prevent similar exposures in the future.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Exposure remains unresolved after disclosure
As of the publication of the reports, the Recent Links feature on JSONFormatter and CodeBeautify remained publicly accessible without adequate protections. The continued lack of access controls left the exposed secrets available for ongoing scraping and abuse.
Affected organizations and platform operators are notified
WatchTowr attempted to notify impacted organizations and raise the issue with relevant parties, including offering to share findings with national CERTs and government agencies. According to the reports, many affected organizations did not respond or take remediation action.
Researchers confirm attackers are scraping and testing leaked credentials
Using a honeypot experiment, WatchTowr confirmed that threat actors were actively monitoring the platforms and attempting to use credentials found in exposed pastes. The reporting also noted concern that such data could support follow-on intrusions and supply-chain attacks.
WatchTowr identifies exposed credentials across high-risk sectors
WatchTowr researchers discovered that the publicly accessible pastes contained secrets and configuration data from banks, government agencies, critical infrastructure, healthcare, and technology organizations. Exposed material included Active Directory credentials, API tokens, private keys, AWS credentials, and personally identifiable information.
Years of public code beautifier links expose sensitive pastes
JSONFormatter and CodeBeautify made user-submitted content accessible through unprotected, predictable "Recent Links" URLs, allowing public access to stored pastes over an extended period. Researchers later determined this design exposed more than 80,000 pastes totaling over 5GB of sensitive data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Thousands of sensitive secrets published on JSONFormatter and CodeBeautify
securityaffairs.com
Open sourceCode formatters prompt expansive critical infrastructure secret exposure
scworld.com
Open sourcePopular code formatting sites are exposing credentials and other secrets
helpnetsecurity.com
Open sourceCode beautifiers expose credentials from banks, govt, tech orgs
bleepingcomputer.com
Open sourceData Leaks: Why Are We So Stupid About Free Online Services?
govinfosecurity.com
Open sourceYears of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys
thehackernews.com
Open sourceCode beautifiers expose credentials from banks, govt, tech orgs
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exposure of Sensitive Credentials on Code Formatting Sites
Sensitive credentials, API keys, private keys, and configuration files have been exposed on widely used code formatting sites such as JSONFormatter and CodeBeautify. These platforms, intended for formatting and sharing code snippets, have inadvertently published thousands of secrets, making them accessible to unauthorized parties and increasing the risk of compromise for affected organizations and individuals. Security researchers and news outlets have highlighted the scale of the exposure, warning that the leaked information could be exploited by threat actors for malicious purposes. The incident underscores the importance of exercising caution when sharing code online and the need for platforms to implement stronger safeguards to prevent the unintentional disclosure of sensitive data.
Mar 21, 2026
Researchers Find 1,748 Valid API Keys Exposed Across Public Websites
Researchers from Stanford University, the University of California, Davis, and TU Delft found **1,748 valid API credentials** exposed across roughly **10,000 public webpages** after analyzing about **10 million websites**, revealing a broad secret-leakage problem outside traditional code repositories. The credentials, identified with TruffleHog and detailed in the study *Keys on Doormats: Exposed API Credentials on the Web*, provided access to services including **AWS**, **GitHub**, **Stripe**, and **OpenAI**. The exposed secrets were tied to multinational corporations, critical infrastructure operators, government agencies, and at least one global bank. Most of the exposed credentials were embedded in **JavaScript** resources, often inside bundled files generated by tools such as Webpack, creating direct paths into cloud infrastructure, payment systems, and software repositories. Researchers said AWS keys made up more than **16%** of verified exposures, and cited cases including cloud credentials linked to a global bank’s core infrastructure and firmware repository credentials associated with drones and remote-controlled devices, raising the risk of malicious firmware updates. After responsible disclosure, the number of exposed credentials dropped by about half within two weeks, but the study found such secrets often remain publicly accessible for an average of **12 months** and sometimes for years.
Apr 2, 2026
Mass Exposure of Live Credentials in Public Docker Hub Images
Security researchers at Flare have discovered that over 10,000 public Docker Hub container images are leaking sensitive secrets, including live credentials for production systems, cloud services, CI/CD pipelines, and AI platforms. The exposed data affects more than 100 organizations, ranging from small businesses to a Fortune 500 company and a major national bank. Many of these secrets are not placeholders but active credentials, with nearly 4,000 API keys for large language models such as OpenAI, HuggingFace, Anthropic, Gemini, and Groq found in the wild. In some cases, a single image contained five or more exposed secrets, significantly increasing the risk of unauthorized access to critical infrastructure. The leaks are often the result of developers inadvertently including sensitive files and hard-coded keys in Docker images, which are then published to public repositories. A notable portion of the exposed secrets comes from "shadow IT" accounts—personal or team Docker Hub registries outside formal corporate oversight—making them difficult for organizations to monitor and secure. The majority of affected organizations are in the software development sector, but the exposure also impacts finance, banking, and AI companies. This incident highlights the urgent need for improved security hygiene and automated scanning in the container development lifecycle to prevent inadvertent credential leaks.
Mar 21, 2026