Research by watchTowr Labs uncovered a significant data exposure involving two widely used online JSON formatting and validation tools, JSONFormatter and CodeBeautify. These tools allow users to paste JSON or code snippets, format them, and optionally save the formatted output as shareable URLs. Over five years of JSONFormatter data and one year of CodeBeautify data, amounting to over 5GB of enriched JSON files, were found publicly accessible due to the tools' save features and predictable URL structures. The dataset contained thousands of sensitive credentials including usernames, passwords, repository authentication keys, Active Directory credentials, database and FTP credentials, cloud environment keys, LDAP configurations, API keys for helpdesk and meeting room systems, SSH session recordings, and personal information. Affected organizations span critical national infrastructure, government, finance, insurance, banking, technology, retail, aerospace, telecommunications, healthcare, education, travel, and cybersecurity sectors. The tools' recent links pages and predictable URL patterns allowed attackers to crawl and scrape these URLs systematically. The research also demonstrated that fake AWS keys uploaded to these tools were tested by malicious actors within 48 hours, confirming active exploitation attempts. The exposure results from poor operational security practices where users paste sensitive secrets into third-party online tools without understanding the risks. In response, both JSONFormatter and CodeBeautify have temporarily disabled the save functionality and are working on improvements. The incident highlights the dangers of using public online tools for handling sensitive data and the need for organizational policies to prevent such risky behavior.

European organizations, especially those in government, finance, telecommunications, and critical infrastructure sectors, face severe risks from this exposure. Compromised credentials can lead to unauthorized access to sensitive systems, data breaches, financial fraud, disruption of critical services, and erosion of trust. The leak of cloud environment keys and Active Directory credentials can facilitate lateral movement within networks, enabling attackers to escalate privileges and exfiltrate data. The exposure of API keys and SSH session recordings further increases the attack surface, potentially allowing attackers to manipulate operational systems or intercept communications. Given the broad range of sectors affected, the impact extends beyond individual organizations to national security and economic stability. The ease with which attackers can scrape and exploit these leaked credentials exacerbates the threat, making rapid detection and response critical. Additionally, the incident may lead to regulatory scrutiny under GDPR and other data protection laws, resulting in legal and financial consequences for affected entities.

1. Immediately identify and rotate all credentials, API keys, and secrets that may have been exposed through these tools. 2. Implement strict organizational policies prohibiting the use of public online formatting or validation tools for handling sensitive credentials or data. 3. Educate developers, administrators, and staff on secure handling of secrets and the risks of pasting sensitive information into third-party websites. 4. Employ secrets management solutions that securely store and manage credentials without exposing them in plaintext. 5. Monitor logs and network traffic for suspicious activities indicative of credential misuse or unauthorized access. 6. Use multi-factor authentication (MFA) extensively to reduce the impact of compromised credentials. 7. Engage in threat intelligence sharing with industry peers and national cybersecurity agencies to stay informed about exploitation attempts. 8. Review and enhance incident response plans to quickly address credential leaks and related security incidents. 9. Encourage vendors of online tools to implement stronger security controls, such as non-predictable URLs, access controls, and data retention policies. 10. Conduct regular audits and penetration testing focused on credential exposure risks.