Security researchers at watchTowr Labs uncovered a massive leak of sensitive credentials after scanning popular online JSON formatting tools.
Developers and administrators have been pasting passwords, API keys, database credentials, and personally identifiable information (PII) into sites like jsonformatter.org and codebeautify.org, where “save” features create publicly shareable links.
By crawling “Recent Links” pages and extracting data via simple POST requests to endpoints such as/service/getDataFromID, the team collected over 80,000 submissions spanning years, revealing thousands of high-value secrets from critical sectors, including government, finance, critical national infrastructure (CNI), and cybersecurity firms.
These exposures stem from tools designed for quick code prettification, often ranking high in searches for “JSON beautify.”
Historical “Recent Links” pages list up to 350,000 entries on jsonformatter.org alone, with each page holding 10 items, including titles, dates, and IDs.
The format is predictable, enabling automated scraping: iterate pages, grab IDs, and POST {“urlid”: “ID”, “toolstype”: “json”} to retrieve raw JSON payloads.
This method yielded gigabytes of data without violating terms, exposing hardcoded AWS AccessKeyIds (AKIA-prefixed), Jenkins credentials.xml files with encrypted master keys, and Splunk SOAR playbooks tied to production S3 buckets.
Shocking Discoveries Across Industries
Analysis focused on enterprise-linked secrets, filtering for organizational emails, domains, or keywords like CyberArk and internal hostnames.
Critical findings included Active Directory credentials for a central U.S. bank leaked via an MSSP employee’s onboarding email, including usernames, passwords, security questions, and tokens.
A cybersecurity vendor exposed encrypted SPN keytabs, SSL private key passwords, and QA/dev configurations that potentially mirror production setups.
Banking KYC data was dumped, including complete customer profiles names, addresses, phones, IPs, ISPs, and video interview links hosted on bank domains.
Government entities revealed PowerShell deployment scripts over 1,000 lines long that detail internal endpoints, IIS configurations, registry hardening, and default admin usernames.
A stock exchange leaked AWS credentials for incident response automation, risking sabotage of detection logic.
Supply chain firms shared Docker Hub, JFrog, Grafana, and RDS credentials in cloud infrastructure configurations.
Even MITRE-linked Jenkins exports from a university project surfaced encrypted tokens and private keys. Sectors hit: finance, telecoms, healthcare, aerospace, retail, and MSSPs serving banks.
| Secret Type | Examples Found | Sectors Impacted |
|---|---|---|
| Cloud Keys | AWS AKIA/SecretAccessKey, S3 buckets | Exchanges, Tech |
| Auth Creds | AD usernames/passwords, Jenkins XML | MSSPs, Banks, Gov |
| API Tokens | GitHub RW tokens, Splunk SOAR | Consultancies, Sec Firms |
| PII/Databases | KYC profiles, RDS creds | Banking, Insurance |
| Configs/Scripts | PowerShell hardening, SPN keytabs | Gov, Cyber Sec |
WatchTower notified affected organizations and CERTs, such as CISA, NCSC UK, and CERT-EU, months in advance, but received limited responses.
A canarytoken test confirmed others are scraping: fake AWS creds triggered hits 48 hours post-expiry, proving active exploitation.
Developers must avoid saving sensitive data in these tools use local editors or secure vaults instead. Platforms should turn off public saves or add expiry enforcement.
This underscores shared responsibility: even savvy teams leak via convenience, fueling supply chain risks.
Preemptive exposure management, like watchTowr’s platform, detects such flaws before attackers do.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.