Security Flaw in JSONFormatter and CodeBeautify exposes credentials of critical organizations

Two widely used online code formatting tools, JSONFormatter and CodeBeautify, have inadvertently exposed thousands of sensitive credentials belonging to banks, government agencies, healthcare providers, and tech companies.

What happened 

According to Bleeping Computer, cybersecurity researchers have revealed a major accidental leak: thousands of credentials, keys, and configuration files belonging to banks, governments, and technology firms were exposed publicly. This breach occurred because these sensitive details were pasted into online code-formatting tools.

Going deeper 

The leak stems from two popular online tools, JSONFormatter and CodeBeautify, which developers often use to format code or JSON snippets. When users clicked “save,” the services created unique URLs for the formatted output and added them to a “Recent Links” page. As this Recent Links page had no authentication or privacy barriers and used predictable URLs, anyone could access the stored snippets. 

Researchers from external-attack-surface company WatchTowr scraped the publicly accessible Recent Links pages and discovered over 80,000 user “pastes”, amounting to more than 5 GB of data, covering about five years of JSONFormatter data and one year of CodeBeautify data.

The exposed secrets were far from innocuous. Among the leaked data were:

• Active Directory credentials, database, and cloud service credentials. 
• Private encryption keys, SSL certificate passwords, and access keys for payment gateways, API tokens, CI/CD systems, and code repositories. 
• SSH session logs, personally identifiable information (PII), and know-your-customer (KYC) data. 
• In some cases, production AWS credentials were tied to a major international stock exchange’s automation system, credentials leaked by a managed security service provider (MSSP) for a bank, and detailed configuration files from a cybersecurity firm (including internal hostnames/IPs, certificates, and paths to keys). 

There is no evidence that attackers had already begun exploiting these exposures. The WatchTowr team planted fake AWS keys as a trap and observed access attempts to the fake keys just 48 hours after upload.

In many cases, affected organizations were notified, some responded and remedied the situation, but many did not reply. As of now, the Recent Links pages on JSONFormatter and CodeBeautify remain freely accessible.

What was said

Security researcher, Jake Knott, warned that this is not a minor misconfiguration. According to one comment cited in reports, Knott said: “We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.”

WatchTowr indicated that these sites likely disabled the save functionality in reaction to the research. "We suspect this change occurred in September in response to communication from a number of the affected organizations we alerted," it added.

Why it matters 

The leak affects organizations in highly sensitive domains, including government, banking and finance, critical infrastructure, healthcare, aerospace, telecommunications, and cybersecurity firms. The breadth of the incident means attackers could gain entry into systems with enormous downstream risk. These sectors rely on secure authentication and tightly controlled access, meaning that exposed credentials could offer attackers direct pathways into production environments, internal networks, and secure data systems.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What can affected organizations do to protect themselves now?

Organizations should immediately audit for exposed credentials, revoke and rotate any leaked keys or passwords, implement stricter secret management policies, and educate developers on secure handling of sensitive information.

How can organizations detect if leaked credentials have been used by attackers?

Monitoring logs for unusual activity, using anomaly detection tools, and setting up alerts for unauthorized access attempts can help detect exploitation of leaked secrets.

Does this incident affect compliance with regulations like GDPR or HIPAA?

Potentially, yes. Exposing personal or sensitive information may violate data protection regulations, leading to legal consequences and fines if not properly managed and reported.

How can developers avoid such exposures in the future?

Developers should avoid sharing real credentials in online tools, use local formatting tools where possible, and adopt secret management solutions such as vaults or environment variables that keep secrets out of source code.