Cybersecurity firm watchTowr has uncovered a trove of leaked passwords, access keys, and sensitive configuration files that were unintentionally exposed from popular online formatting tools, JSON formatter, and CodeBeautify. 

watchTowr Labs said it collected a dataset containing more than 80,000 files from sites used to format and validate code. Within those files, researchers found usernames, passwords, repository authentication keys, Active Directory credentials, database connection strings, FTP credentials, cloud environment access keys, LDAP configuration details, helpdesk API keys, and even recordings of SSH sessions. 

“We’ve been rifling through platforms that developers use to quickly format their input – like JSONFormatter and CodeBeautify. And yes, you are correct – it went exactly as badly as you might expect,” watchTowr’s blog post published on Tuesday. 

Online utilities such as JSONFormatter and CodeBeautify are meant to beautify or validate data formats, where devs paste snippets of code or configuration files into them to troubleshoot formatting issues. But according to researchers, many employees are unknowingly pasting entire files that contain live secrets from production systems.

JSON and CodeBeautify leak data from government, banks, and healthcare

According to the security firm, the leaked data flaw has yet to affect three platforms, including GitHub repositories, Postman workspaces, and DockerHub containers. However, it found five years of historical content from JSONFormatter and one year of historical content from CodeBeautify, totaling more than 5 gigabytes of enriched and annotated JSON material. 

“The popularity is so great that the sole developer behind these tools is fairly inspired – with a typical visit to any tool homepage triggering 500+ web requests pretty quickly to generate what we assume is some sweet, sweet affiliate marketing revenue,” the cybersecurity group explained.

watchTowr Labs said organizations from industries like national infrastructure, government agencies, major financial institutions, insurance companies, technology providers, retail firms, aerospace organizations, telecoms, hospitals, universities, travel businesses, and even cybersecurity vendors have all had their private information exposed.

“These tools are extremely popular, appearing near the top of search results for terms like ‘JSON beautify’ and ‘best place to paste secrets’ (probably, unproven), used by organizations and administrators in both enterprise environments and for personal projects,” Security researcher Jake Knott wrote in the blog post.

watchTowr Labs listed several categories of sensitive data found within the exposed files like Active Directory credentials, code repository authentication keys, database access details, LDAP configuration information, cloud environment keys, FTP login credentials, CI/CD pipeline keys, private keys, and full API requests and responses with sensitive parameters.

Investigators also mentioned Jenkins secrets, encrypted configuration files belonging to a cybersecurity firm, Know Your Customer information from banks, and AWS credentials belonging to a major financial exchange that were connected to Splunk systems. 

watchTowr: Malicious actors are scraping the leaks

According to watchTowr Labs’ damage analysis, many of the leaked keys have been collected and tested by unknown parties. In an experiment, researchers uploaded fake AWS access keys to one of the formatting platforms, and in just under two days, malicious actors attempted to abuse the credentials.

“Mostly because someone is already exploiting it, and this is all really, really stupid,” Knott continued, “we don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.”

JSONFormatter and CodeBeautify temporarily disabled their save functionality in September, when the security flaw was brought to their attention. JSONFormatter it was “working on to make it better,” while CodeBeautify said it was implementing new “enhanced NSFW (Not Safe For Work) content prevention measures.” 

Security issue in HashiCorp’s Vault Terraform Provider

Away from the leaked credentials, the San Francisco-based IBM company HashiCorp found a vulnerability that could allow attackers to bypass authentication in its Vault Terraform Provider. The firm provides developers, businesses, and security organizations with cloud-computing infrastructure and protection services.

Per the software company’s findings shared on Tuesday, the Vault Terraform flaw affects versions v4.2.0 through v5.4.0 from an insecure default configuration in the LDAP authentication method.

The issue arises because the “deny_null_bind” parameter is set to false instead of true when the provider configures Vault’s LDAP authentication backend. The parameter determines if the Vault rejects a wrong password or unauthenticated binds. 

If the connected LDAP server allows anonymous binds, attackers can authenticate and access accounts without any valid credentials.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.