CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Sensitive Data Exposed via Publicly Accessible Code-Formatting Tools

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Over 80,000 JSON snippets containing sensitive credentials, authentication keys, and configuration data from organizations in critical sectors were exposed through the Recent Links feature of JSONFormatter and CodeBeautify. The data, totaling over 5GB, included Active Directory credentials, database and cloud credentials, private keys, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, and personally identifiable information (PII). Researchers found that threat actors actively scanned and accessed this exposed data, with some organizations failing to remediate the issue. The exposed data impacted sectors such as government, banking, healthcare, and cybersecurity, with some credentials linked to major financial exchanges and managed security service providers (MSSPs). The Recent Links feature, which lacks access controls, allows anyone to scrape the data using predictable URLs. Researchers also set up a honeypot to confirm that threat actors were actively scanning for sensitive information, with access attempts recorded even after the links had expired. Both JSONFormatter and CodeBeautify have temporarily disabled the save functionality in response to the research, claiming they are working on enhanced NSFW content prevention measures.

Timeline

  2. 25.11.2025 14:01 3 articles · 1d ago

    Sensitive Data Exposed via Publicly Accessible Code-Formatting Tools

    Researchers discovered over 80,000 JSON snippets containing sensitive credentials, authentication keys, and configuration data exposed through the Recent Links feature of JSONFormatter and CodeBeautify. The data, totaling over 5GB, impacted organizations in critical sectors such as government, banking, healthcare, and cybersecurity. Threat actors were found to be actively scanning and accessing this data, with some organizations failing to remediate the issue. The exposed data included CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, and large amounts of PII. Specific examples of exposed data from various sectors were also highlighted, including a cybersecurity company, a government entity, and a technology company providing Data Lake-as-a-Service (DLaaS) products. Researchers set up a honeypot to confirm that threat actors were actively scanning for sensitive information, with access attempts recorded even after the links had expired. The exposed data spans five years of historical JSONFormatter content and one year of historical CodeBeautify content. The tools' Recent Links feature follows a predictable URL format, making it easier for bad actors to retrieve all URLs using a simple crawler.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

WordPress Sites Exploited for ClickFix Phishing Attacks

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Open in new tab

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has confirmed that all customers using its cloud backup service had firewall configuration files accessed by an unauthorized actor. The accessed backup files contain AES-256-encrypted credentials and configuration data, increasing the risk of targeted attacks. The breach, initially detected in early September 2025, was caused by brute-force attacks. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with Mandiant and law enforcement agencies. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for all customers using the cloud backup service. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance. Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The compromised accounts were accessed from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking the breach to the recent spike in compromises.

Open in new tab

DeepSeek Data Leak Exposes Over 1 Million Sensitive Log Streams

In January 2025, Wiz Research discovered a data leak at DeepSeek, a Chinese AI specialist. The leak exposed over 1 million sensitive log streams, including chat history and secret keys, through a publicly accessible ClickHouse database. The database allowed full control over database operations, enabling unauthorized access to internal data. Wiz Research promptly reported the issue, and DeepSeek secured the exposure. The incident highlights the risks associated with data leakage, which can occur intentionally or unintentionally through various vectors such as misconfigured cloud storage, endpoint vulnerabilities, emails, and shadow IT. The consequences of data leakage can be severe, including regulatory fines, loss of intellectual property, financial fraud, and reputational damage. Organizations can mitigate these risks through measures such as enforcing least-privilege access, implementing data loss prevention strategies, classifying sensitive data, conducting regular audits, and providing adequate training. Outpost24's CompassDRP offers tools to detect potentially leaked documents and source code, helping organizations manage their expanding digital attack surface.

Open in new tab

Azure Active Directory Credentials Exposed via Public ASP.NET Configuration File

A publicly accessible ASP.NET Core configuration file (appsettings.json) leaked Azure Active Directory (AD) credentials, potentially allowing attackers to authenticate via Microsoft's OAuth 2.0 endpoints and infiltrate Azure cloud environments. The exposed credentials, ClientId and ClientSecret, could be used to compromise cloud accounts, steal data, and perform further intrusions. The misconfiguration highlights the risks of poor secrets management in cloud-native applications. The discovery was made by Resecurity's HUNTER team, who found the credentials exposed on the public Internet. The affected company has since closed the loophole. This incident underscores the critical need for enterprises to monitor and secure their cloud configurations to prevent similar breaches.

Open in new tab

Credential Leaks Surge 160% in 2025

Leaked credentials accounted for 22% of breaches in 2024, a trend that continued into 2025 with a 160% increase. Cyberint, now part of Check Point, reports that leaked credentials are increasingly used for account takeovers, credential stuffing, spam distribution, and extortion. The surge in leaked credentials is driven by automation and accessibility, with infostealer malware and AI-generated phishing campaigns facilitating credential theft. Organizations face significant risks from these leaks, which often go undetected for extended periods. Cyberint's threat detection systems, combined with human analysis, provide a comprehensive approach to identifying and mitigating credential leaks before they are actively exploited.

Open in new tab