Full Report
New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. Cybersecurity company watchTowr Labs said it captured a dataset of over 80,000 files on these sites, uncovering thousands of
Analysis Summary
# Incident Report: Mass Credential Exposure via Online Code Tools
## Executive Summary
This incident involves a massive, ongoing data exposure discovered by watchTowr Labs, where organizations across sensitive sectors (government, critical infrastructure, finance) are accidentally leaking highly sensitive credentials and secrets by pasting them into public online code formatting tools like JSONformatter and CodeBeautify. The incident has resulted in the exposure of thousands of secrets, including cloud keys and Active Directory credentials, which are actively being harvested by malicious actors. Response actions initiated by the vendor involved the temporary disabling of the "save" functionality on these tools.
## Incident Details
- **Discovery Date:** November 25, 2025 (Date of publication/research release)
- **Incident Date:** Ongoing, spanning up to five years of historical data on JSONFormatter and one year on CodeBeautify.
- **Affected Organization:** Not a single target organization; includes numerous entities globally (Governments, Telecoms, Critical Infrastructure, Finance, Healthcare, etc.).
- **Sector:** Cross-sectoral, focusing on sensitive industries.
- **Geography:** Global (Implied by the diverse nature of affected organizations).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, historical data spanning years.
- **Vector:** Human error / Insecure software development practices (Developer actions).
- **Details:** Developers and administrators pasted sensitive data (passwords, API keys, configuration files) directly into public tools (JSONformatter, CodeBeautify) for formatting or validation purposes.
### Lateral Movement
- **Details:** Not applicable to the initial vector. However, the *attacker access* to the already exposed data relied on the tools' features:
1. The tools create shareable links for pasted content.
2. Both tools expose a "Recent Links page" listing saved content.
3. URLs follow a predictable format, allowing automated scraping/crawling.
### Data Exfiltration/Impact
- **Details:** Over 80,000 files (totaling over 5GB) were captured by researchers. This included usernames, passwords, repository authentication keys, Active Directory credentials, cloud environment keys (e.g., AWS), database credentials, and SSH session recordings. WatchTowr confirmed active abuse, noting bad actors attempted to use leaked fake keys within 48 hours.
### Detection & Response
- **[How it was discovered]:** Discovered by proactive research conducted by Cybersecurity company watchTowr Labs.
- **[Response actions taken]:** watchTowr alerted affected organizations. The online tools (__*jsonformatter[.]org*__ and __*codebeautify[.]org*__) temporarily disabled the "save" functionality, likely in September 2025, in response to alerts received from researchers/organizations.
## Attack Methodology
- **Initial Access:** Accidental exposure via insecure manual pasting of credentials into third-party web services performing benign functions (code formatting).
- **Persistence:** Via publicly accessible, semi-permanent URLs generated by the tools.
- **Privilege Escalation:** Not directly applicable, as the method relied on finding existing, high-privilege credentials already pasted.
- **Defense Evasion:** The data bypasses traditional network perimeter defenses as it is willingly uploaded to external, legitimate-appearing public websites (zero-day for the *user*, not the tool).
- **Credential Access:** Direct scraping and harvesting of plaintext or encrypted sensitive material available in saved payload URLs.
- **Discovery:** Automated scraping of the known, predictable URL structure using crawlers.
- **Lateral Movement:** Not applicable in the traditional sense; the finding *is* the result of the automated data harvest.
- **Collection:** Automated collection of high-value text strings from the saved links.
- **Exfiltration:** Data was publicly indexed or accessible via direct URL requests to the tool's storage mechanism.
- **Impact:** Direct compromise of downstream systems (e.g., AWS environments, Active Directory).
## Impact Assessment
- **Financial:** Not explicitly quantified in the release but implied to be high due to compromises in banking and critical infrastructure sectors.
- **Data Breach:** Thousands of plaintext/encrypted credentials, API keys (including helpdesk and meeting room keys), KYC information, and configuration data (over 5GB).
- **Operational:** Potential for complete takeover of critical systems (e.g., financial exchanges, infrastructure components) due to exposed root/admin credentials.
- **Reputational:** Significant reputational damage to organizations that use best practices for security but fail to enforce policy regarding external tooling.
## Indicators of Compromise
- **Network indicators (defanged):** Access logs indicating scraping against known tool endpoints: __*jsonformatter[.]org/recentLinksPage*__, __*codebeautify[.]org/recentLinksPage*__, and sequential ID calls to __*jsonformatter[.]org/{id-here}*__.
- **File indicators:** Any configuration files, secrets, or credentials found hosted publicly on these specific domains.
- **Behavioral indicators:** Sudden, unauthorized activity originating from exposed cloud/AD credentials shortly after their appearance on the public indexes.
## Response Actions
- **Containment measures:** Organizations must immediately assume *every* credential pasted is already compromised, rotate all associated keys, passwords, and tokens found during the research window. Credentials related to highly sensitive systems (PKI, banking back-ends) require immediate lockdown.
- **Eradication steps:** Revoke exposed tokens/keys across all platforms (AWS, Git repositories, internal AD). Conduct forensic analysis of systems accessed post-exposure.
- **Recovery actions:** Re-issuance of all compromised credentials and application of stricter credential management policies.
## Lessons Learned
- Developers must be trained extensively on data hygiene, especially concerning automated code sanitation tools—if it requires sensitive input, it should be run locally or on an air-gapped, vetted environment.
- Publicly facing “Recent Links” or share functionality on tools handling secrets creates an easily exploitable index for attackers.
- Trusting any external, third-party website with initial configuration secrets is inherently risky, regardless of the tool's advertised function (e.g., code beautification).
## Recommendations
- Implement mandatory DLP (Data Loss Prevention) scans on outgoing corporate traffic targeting known formatting/beautification websites.
- Prohibit the use of public online tools for processing or validating sensitive data (passwords, access tokens, PII, config files) in all enterprise environments.
- Utilize internal, self-hosted, or highly vetted/approved tooling for developer convenience tasks involving secrets.
- Conduct regular shadow cloud scanning to monitor for accidental leakage of public keys to unmanaged external services.