Credentials Flooded Public Domains via Code Formatters

A sweeping investigation by security researchers at watchTowr has revealed that thousands of passwords, API keys and other sensitive credentials belonging to governments, financial institutions, healthcare providers and critical-infrastructure firms have been publicly exposed through widely used code-formatting websites such as JSONFormatter and CodeBeautify. These platforms, designed to “beautify” or validate code and configuration files, allowed users to save their input and generate shareable URLs — a feature that inadvertently made the pasted data accessible to anyone able to browse or crawl the “Recent Links” pages.

WatchTowr scraped more than 80,000 user submissions across the two services — spanning five years of JSONFormatter usage and one year of CodeBeautify logs — yielding over 5 gigabytes of raw data. A significant portion of this data contained high-value secrets such as Active Directory credentials, AWS cloud-access keys, database and FTP passwords, SSH private keys, CI/CD configuration scripts and even complete customer Know-Your-Customer datasets including personal identifiers.

Among the most alarming disclosures was a set of live AWS credentials tied to a major international stock exchange’s Splunk instance, suggesting that even organisations tasked with monitoring security are among those inadvertently exposed. Other leaks included encrypted Jenkins master-key files, Docker and Grafana credentials for a “data-lake-as-a-service” provider, SSH session logs, database connection strings and payment-gateway API keys. Sensitive data from sectors like banking, insurance, aerospace, telecoms and education also featured prominently.

Investigators found that extracting the content was trivial because the shareable URLs followed predictable, enumeratable patterns. By automating requests to the exposed endpoints, the team collected raw JSON payloads en masse without exploiting any vulnerability beyond legitimate platform features. To verify the threat, WatchTowr deliberately uploaded dummy AWS keys marked as “canary tokens” and observed that some were probed by unknown external actors within 48 hours — a clear indication that threat actors are actively scanning these services for exploitable secrets.

The root of the problem appears to be a widespread lack of awareness among developers and administrators who treated these code-formatting platforms as quick, throwaway utilities, not understanding that the “Save” function created semi-permanent public archives. The ease and convenience offered by these tools seem to have overshadowed potential security risks, and organisations across regulated sectors are now grappling with possible exposure of production credentials and sensitive customer data.

Both JSONFormatter and CodeBeautify responded by temporarily disabling the “Save” or shareable-link feature shortly after the disclosures were publicised. The companies stated they are working to improve security and prevent misuse, though the complete extent of remediation — such as purging historic saved files or alerting affected organisations — remains unclear.