Two popular online code formatting tools, JSONFormatter and CodeBeautify, have inadvertently exposed over 80,000 files containing thousands of sensitive credentials from organizations across critical sectors. Security researchers from watchTowr Labs discovered five years of historical data totaling over 5GB, including Active Directory passwords for banks, AWS credentials from financial exchanges, GitHub tokens from major consulting firms, and customer KYC information. The leak occurred through a “Recent Links” feature that made supposedly temporary saves publicly accessible to anyone. Examples include an MSSP employee who uploaded onboarding credentials for a U.S. bank, a cybersecurity company that exposed encrypted SSL certificate passwords, and government entities that leaked PowerShell configuration scripts. Threat actors are already actively scanning and testing these exposed credentials, as confirmed by watchTowr’s honeypot experiment.
Index
- What Happened
- How the Exposure Occurred
- What Was Exposed
- Who Was Affected
- Real-World Examples of Exposed Data
- Evidence of Active Exploitation
- What You Should Do Now
- Platform Response
What Happened
Security researchers at watchTowr Labs discovered a massive security exposure affecting two widely-used online code formatting platforms. JSONFormatter and CodeBeautify allow developers to format, validate, and beautify code snippets. These tools appear at the top of search results when developers search for terms like “JSON beautify” or “code formatter,” making them extremely popular among both individual developers and enterprise organizations.
The platforms offer a “save” feature that creates shareable links to formatted code. While this seems convenient, these saved links were being cataloged in a publicly accessible “Recent Links” page with no authentication required. This meant anyone on the internet could access years of saved code snippets, many of which contained highly sensitive information that should never have been uploaded to a third-party website.
The scope of the exposure is staggering. Researchers collected over 80,000 user submissions spanning five years of JSONFormatter data and one year of CodeBeautify data, totaling more than 5GB of information. This wasn’t a hack or a breach—it was sensitive data sitting in plain sight, accessible to anyone who knew where to look.
How the Exposure Occurred
The exposure resulted from a combination of platform design and user behavior. Both JSONFormatter and CodeBeautify include a “SAVE” button that creates a permanent or semi-permanent shareable link. When users click save, the platform generates a unique URL and adds it to a public “Recent Links” page.
The problem is threefold:
- Public accessibility: The Recent Links pages required no authentication and could be viewed by anyone
- Predictable URLs: The saved content followed simple, predictable URL patterns that could be easily crawled
- User misunderstanding: Many users didn’t realize that “save” meant their data would be publicly accessible, despite the clear labeling
The URL formats were straightforward:
- https://jsonformatter.org/{id}
- https://jsonformatter.org/{formatter-type}/{id}
- https://codebeautify.org/{formatter-type}/{id}
Researchers could systematically retrieve all saved content by iterating through the Recent Links pages and using the platforms’ getDataFromID API endpoint. This required no hacking skills—just basic web scraping knowledge.
What Was Exposed
The exposed data included virtually every type of sensitive credential and configuration information imaginable:
Authentication Credentials:
- Active Directory usernames and passwords
- Database credentials
- FTP credentials
- LDAP configuration information
- Administrative JWT tokens
Cloud and Infrastructure Keys:
- AWS access keys and secret keys
- Cloud environment credentials
- CI/CD pipeline secrets
- Service account credentials
Development Resources:
- GitHub authentication tokens
- Code repository keys
- JFrog credentials
- Docker Hub credentials
API Access:
- Helpdesk API keys
- Meeting room API keys
- Payment gateway credentials
- Grafana credentials
Sensitive Files:
- Private SSH keys
- SSL certificate passwords
- Configuration files with internal hostnames
- SSH session recordings
- Jenkins credentials
Personal Information:
- Customer Know Your Customer (KYC) data
- Full names, addresses, phone numbers
- Bank account information
- Email addresses and IP addresses
- Links to recorded video interviews
In one shocking case, researchers found “an entire export of every single credential from someone’s AWS Secrets Manager,” according to the watchTowr Labs report.
Who Was Affected
The breach didn’t discriminate—it affected organizations across every sensitive sector imaginable:
- Critical National Infrastructure: Organizations responsible for essential services
- Government Agencies: Multiple government entities across various countries
- Financial Services: Banks, insurance companies, and a major international stock exchange
- Technology Companies: Including data lake service providers and software firms
- Cybersecurity Firms: Ironically, security companies also leaked sensitive credentials
- Healthcare Organizations: Medical institutions with patient data
- Telecommunications Providers: Major telecom companies
- Aerospace Companies: Organizations in the aerospace sector
- Education Institutions: Universities and educational organizations
- Retail Businesses: Consumer-facing retail companies
- Managed Security Service Providers (MSSPs): Companies hired to protect other organizations
The Hacker News report confirmed that researchers contacted organizations in over a dozen critical sectors, though many failed to respond despite multiple attempts across various communication channels.
Real-World Examples of Exposed Data
The researchers documented several particularly concerning cases:
Major Consulting Firm: One of the “Big Four” consulting companies exposed a complete configuration file containing multiple GitHub tokens with read/write permissions to their main organization account, hardcoded credentials, and URLs pointing to delivery-related files. The leak also included the classic default password “Password123” embedded in their configuration.
U.S. Bank via MSSP: An employee at a managed security service provider uploaded their onboarding email containing Active Directory credentials not just for the MSSP’s environment, but also for their largest client—a major U.S. bank. The paste included usernames, passwords, security questions and answers, and mystery token values.
Cybersecurity Company: A listed cybersecurity firm pasted encrypted credentials for sensitive configuration files, including SSL certificate private key passwords, Service Principal Name keytab credentials, internal passwords, external and internal hostnames, and paths to keys and certificates.
Financial Exchange: AWS credentials for a major international stock exchange’s Splunk SOAR (Security Orchestration, Automation and Response) system were exposed, potentially giving attackers access to critical security infrastructure.
Banking KYC Data: Complete Know Your Customer information for bank customers was discovered, including full names, addresses, phone numbers, email addresses, IP addresses, ISP information, and URLs to recorded video interviews where customers held up their bank cards.
Government Entity: Over 1,000 lines of PowerShell code used to configure new government hosts from scratch was exposed. While credentials were properly handled using environment variables, the script revealed internal endpoints, default administrative usernames, IIS configurations, and hardening measures—a roadmap for attackers.
Technology Vendor: A Data Lake-as-a-Service provider exposed configuration files with credentials for Docker Hub, JFrog, Grafana, and RDS databases, along with domain names and email addresses that easily identified the company.
Evidence of Active Exploitation
WatchTowr didn’t just discover the exposure—they proved that threat actors were already actively exploiting it. The researchers conducted a honeypot experiment by uploading fake but realistic-looking AWS access keys to both platforms with a 24-hour expiration timer.
The results were alarming. The fake credentials were accessed and tested 48 hours after the initial upload—meaning attackers retrieved and stored the credentials before they expired, then attempted to use them after the links were supposedly gone. This confirms that malicious actors are systematically scraping these platforms for valuable credentials and testing them against live systems.
This wasn’t a theoretical vulnerability—it was being actively exploited while organizations remained unaware their credentials were publicly accessible.
What You Should Do Now
If you or your organization has ever used JSONFormatter or CodeBeautify, take these immediate steps:
Immediate Actions:
- Audit your usage: Search your browser history and bookmarks for jsonformatter.org or codebeautify.org
- Check with your team: Ask colleagues if they’ve used these platforms with work-related data
- Review saved links: If you’ve saved any content on these platforms, assume it has been compromised
- Rotate all credentials: Change passwords, API keys, and tokens that may have been exposed
Specific Credential Types to Rotate:
- Database passwords and connection strings
- Cloud platform credentials (AWS, Azure, GCP)
- API keys and tokens
- Active Directory passwords
- SSH keys and certificates
- Application secrets and environment variables
- Service account credentials
Prevention Measures:
- Never paste sensitive data into online tools: Use local, offline tools for formatting and validation
- Implement secrets scanning: Use tools like GitGuardian or TruffleHog to detect accidentally exposed credentials
- Educate your team: Train developers and IT staff about the risks of third-party online tools
- Use password managers: Store and share credentials securely through enterprise password management solutions like 1Password, LastPass, or Bitwarden
- Enable multi-factor authentication: Add an extra layer of protection for all critical systems
- Monitor for unauthorized access: Review access logs for unusual activity that might indicate compromised credentials
For Organizations:
- Contact your security team immediately if you suspect exposure
- Review access logs for the timeframe when credentials may have been exposed
- Consider engaging incident response services if you find evidence of compromise
- Report the incident to relevant authorities and compliance bodies as required
- Notify affected customers if personal data was exposed
Platform Response
Following the research disclosure, both JSONFormatter and CodeBeautify temporarily disabled their save functionality. The platforms now display messages indicating they are “working to make it better” and implementing “enhanced NSFW (Not Safe For Work) content prevention measures.”
According to watchTowr, the save functionality was likely disabled in September 2024 in response to communication from affected organizations. However, the damage had already been done—years of exposed credentials remained accessible until the platforms took action.
The researchers note that many organizations they contacted never responded despite attempts through multiple channels. They worked with several national Computer Emergency Response Teams (CERTs), including:
- NCSC UK
- NCSC Norway
- NCSA Greece
- Canadian Centre for Cyber Security
- CISA (United States)
- CERT Poland
- CERT EU
- CERT France
The incident serves as a stark reminder that security isn’t just about preventing hacks—it’s about understanding how your actions and tools can inadvertently expose sensitive information. As watchTowr researchers bluntly stated: “We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.”