Full Report
Thousands of credentials, authentication keys, and configuration data impacting organizations in sensitive sectors have been sitting in publicly accessible JSON snippets submitted to the JSONFormatter and CodeBeautify online tools that format and structure code. [...]
Analysis Summary
# Incident Report: Public Exposure via Code Beautifier Services
## Executive Summary
Researchers discovered that over 80,000 sensitive data snippets, including credentials, keys, and configuration files from high-risk sectors, were publicly accessible via the "Recent Links" feature on JSONFormatter and CodeBeautify tools. This exposure stemmed from users saving data without adequate access controls enforced by the third-party platforms. The data theft potential was confirmed by successful attempts to utilize planted canary tokens on the exposed data.
## Incident Details
- **Discovery Date:** November 25, 2025 (Date of publicized research findings)
- **Incident Date:** Ongoing exposure dating back up to five years (JSONFormatter) and one year (CodeBeautify). The earliest confirmed access to planted tokens occurred 48 hours after uploading/saving.
- **Affected Organization:** JSONFormatter and CodeBeautify (Platforms hosting the data); Numerous organizations across various sectors where users mistakenly exposed their data.
- **Sector:** Government, critical infrastructure, banking, insurance, aerospace, healthcare, education, cybersecurity, and telecommunications.
- **Geography:** Global (Implied, based on the multinational nature of affected entities).
## Timeline of Events
### Initial Access (Data Exposure)
- **Date/Time:** Ongoing, potentially up to five years prior to discovery.
- **Vector:** User configuration error combined with platform vulnerability (lack of default privacy controls).
- **Details:** Users saved JSON snippets containing sensitive data (credentials, keys) to the platforms, which automatically added them to the publicly accessible "Recent Links" feature.
### Lateral Movement
- **Details:** Not applicable to the platform provider's network. In the context of the exposed data, attackers could use the stolen credentials (e.g., AD credentials, cloud keys) to move internally within the affected organizations.
### Data Exfiltration/Impact
- **Details:** Researchers scraped publicly accessible links to download over 5GB of data, including production credentials, private keys, and PII/KYC data from high-value targets. Attackers testing canary tokens confirm active scraping attempts.
### Detection & Response
- **Details:** Discovered by WatchTowr researchers examining the platforms. Response involved WatchTowr contacting affected organizations to notify them of the exposure. Remediation status among users was mixed.
## Attack Methodology
- **Initial Access:** Misconfiguration/Insecure design of the third-party web service ("Recent Links" feature made all saved pastes public by default).
- **Persistence:** Not applicable to the attacker, but the persistence of the sensitive data in the public repository allowed long-term collection.
- **Privilege Escalation:** Not explicitly detailed, but stolen infrastructure credentials (e.g., AWS keys, AD credentials) could be used by attackers for subsequent privilege escalation within target networks.
- **Defense Evasion:** The reliance on third-party tools that users trusted shielded the exposure from the victims' internal security monitoring systems.
- **Credential Access:** Direct scraping of plaintext credentials, private keys, API tokens, and authentication keys from the JSON endpoints.
- **Discovery:** Automated crawling of the predictable URL structure of the "Recent Links" pages.
- **Lateral Movement:** Potential for attackers to use harvested credentials to move between internal systems (e.g., Active Directory, cloud environments) of the affected victims.
- **Collection:** Downloading/scraping JSON snippets via the `getDataFromID` API endpoint or direct URL access.
- **Exfiltration:** Data retrieved by researchers from the public endpoints.
- **Impact:** Direct theft of production secrets, configuration data, and PII/KYC information.
## Impact Assessment
- **Financial:** Unknown, but high risk given the exposure of financial exchange credentials and bank MSSP data, implying potential for direct monetary loss or costly remediation.
- **Data Breach:** Confirmed exposure of Active Directory/database/cloud credentials, private keys, code repository tokens, CI/CD secrets, Payment gateway keys, API tokens, PII, and KYC data.
- **Operational:** Significant operational risk due to exposure of critical infrastructure configuration data (e.g., government hardening scripts, infrastructure cloud config).
- **Reputational:** High damage potential, especially for the MSSP and the international stock exchange whose production credentials were leaked.
## Indicators of Compromise
- **Network indicators:** N/A (Focus is on the source platform, not victim ingress/egress).
- **File indicators:** Exposure includes configuration files, PowerShell scripts, and JSON snippets containing secrets.
- **Behavioral indicators:** Successful access attempts recorded against planted canary tokens 48 hours post-upload, indicating active enumeration by external parties.
## Response Actions
- **Containment:** WatchTowr utilized canary tokens to confirm active data access attempts by potential attackers.
- **Eradication:** Victims were notified by WatchTowr to rotate compromised credentials, keys, and tokens. However, the study notes many organizations did not respond to notifications.
- **Recovery:** Remediation efforts rely solely on the affected organizations rotating their secrets exposed on the platform.
## Lessons Learned
- **Developer practice failure:** Developers and engineers are inherently trusting of third-party convenience tools, failing to sanitize or secure secrets before pasting them into online formatters for sharing or testing.
- **Platform Responsibility:** Third-party code/data sharing tools must default configuration settings to private, requiring explicit opt-in for public sharing.
- **Persistence of Exposure:** Data remained accessible even after links were supposed to expire based on canary token testing results.
## Recommendations
- Implement mandatory secrets scanning (SAST/DAST) in CI/CD pipelines and pre-commit hooks to prevent secrets from ever being checked into code repositories or pasted externally.
- Organizations must strictly prohibit the use of external, public online tools for formatting or processing sensitive system configurations or code snippets containing credentials.
- Developers should utilize encrypted, ephemeral, or secure internal systems for temporary code sharing instead of public web services.