In a recent investigation, cybersecurity firm watchTowr Labs uncovered a significant data exposure involving the popular online code formatting tools JSONFormatter and CodeBeautify. These platforms, widely used by developers to format and validate code, have inadvertently exposed sensitive information, including passwords, API keys, and other confidential data, over several years.
The Extent of the Exposure
WatchTowr Labs analyzed over 80,000 files from these platforms, revealing a trove of sensitive data:
– User Credentials: Usernames and passwords.
– Authentication Keys: Repository access keys and Active Directory credentials.
– Database Information: Database and FTP credentials.
– Cloud Access: Cloud environment keys.
– Configuration Details: LDAP configuration information.
– API Keys: Helpdesk and meeting room API keys.
– Session Data: SSH session recordings.
– Personal Information: Various forms of personally identifiable information (PII).
The dataset spans five years of JSONFormatter content and one year of CodeBeautify content, totaling over 5GB of enriched, annotated JSON data. ([thehackernews.com](https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html?utm_source=openai))
Affected Sectors
The exposed data impacts a wide range of sectors, including:
– Government: Sensitive governmental data.
– Telecommunications: Confidential telecom information.
– Critical Infrastructure: Data from essential services.
– Finance and Banking: Financial institutions’ credentials.
– Technology: Tech companies’ internal data.
– Retail: Retailers’ sensitive information.
– Aerospace: Aerospace industry data.
– Healthcare: Medical and patient information.
– Education: Educational institutions’ data.
– Cybersecurity: Ironically, even cybersecurity firms’ data.
This widespread exposure underscores the critical need for secure data handling practices across all industries. ([thehackernews.com](https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html?utm_source=openai))
Mechanism of Exposure
The vulnerability stems from the save functionality offered by both JSONFormatter and CodeBeautify. When users save a formatted JSON structure or code, the platforms generate a unique, shareable URL. These URLs are then listed on publicly accessible Recent Links pages without any authentication or protection. The predictable URL structure made it easy for malicious actors to scrape and access these links using simple web crawlers. ([thehackernews.com](https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html?utm_source=openai))
Examples of Leaked Information
The types of sensitive information exposed include:
– Jenkins Secrets: Configuration files containing encrypted credentials.
– Banking Information: Know Your Customer (KYC) data associated with banks.
– AWS Credentials: Access keys linked to major financial exchanges’ Splunk instances.
– Active Directory Credentials: Sensitive credentials for banking institutions.
These examples highlight the severe risks posed by the inadvertent exposure of such critical information. ([thehackernews.com](https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html?utm_source=openai))
Exploitation by Malicious Actors
To assess the potential for exploitation, watchTowr Labs uploaded fake AWS access keys to these platforms. Within 48 hours, they observed attempts by malicious actors to use these keys, indicating that such exposed information is actively being scraped and tested by unauthorized parties. ([thehackernews.com](https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html?utm_source=openai))
Response from JSONFormatter and CodeBeautify
In response to these findings, both platforms have temporarily disabled their save functionalities. They have stated that they are working on improving these features and implementing enhanced content prevention measures. This action likely resulted from communications with affected organizations alerted by watchTowr Labs. ([thehackernews.com](https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html?utm_source=openai))
Recommendations for Users
To mitigate the risks associated with using online code formatting tools:
1. Avoid Sharing Sensitive Data: Refrain from pasting or saving any sensitive information, such as credentials or personal data, into online tools.
2. Use Local Tools: Opt for offline or locally installed code formatting tools to process sensitive data.
3. Review Data Handling Policies: Familiarize yourself with the content and data storage policies of any online tool you use.
4. Monitor for Exposure: Regularly check for unauthorized access or exposure of your data and credentials.
By adopting these practices, individuals and organizations can better protect their sensitive information from unintended exposure.
Conclusion
The inadvertent exposure of sensitive data through JSONFormatter and CodeBeautify serves as a stark reminder of the importance of secure data handling practices. Organizations must exercise caution when using online tools and ensure that they do not inadvertently share confidential information. Implementing robust security measures and adhering to best practices can significantly reduce the risk of data breaches and unauthorized access.
Twitter Post:
Major data exposure alert: JSONFormatter and CodeBeautify have leaked thousands of passwords and API keys over years. Developers, ensure your sensitive data isn’t at risk. #DataBreach #CyberSecurity #JSONFormatter #CodeBeautify
Focus Key Phrase:
JSONFormatter and CodeBeautify data exposure
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
