How Online Formatting Tools Exposed Thousands of Credentials: The JSONFormatter & CodeBeautify Leak
Executive Summary
In late 2025, researchers uncovered that thousands of sensitive credentials, including passwords and API keys from governments, telecoms, and critical infrastructure organizations, were exposed after being pasted into public web-based code formatting tools such as JSONFormatter and CodeBeautify. This inadvertent data exposure occurred over several years, as users leveraged these tools for convenience, unaware that information was being logged and stored without proper security. Security experts at watchTowr Labs discovered over 80,000 files containing this data, raising alarm over the significant risk posed to organizations relying on manual and unsecured workflows.
This incident has highlighted the growing risks of shadow IT and insecure use of web utilities in enterprise environments. It mirrors a broader trend of misconfigured third-party tools creating substantial vulnerabilities, elevating concerns amid regulatory crackdowns and increased exploitation of exposed secrets by attackers.
Why This Matters Now
Sensitive credentials are frequently exposed as organizations inadvertently misuse online tools not designed for secure data handling. This incident underscores the urgent need for tighter controls, increased security awareness, and stronger policies to prevent accidental data leakage in an era of escalating supply chain and credential-based attacks.
Attack Path Analysis
Attackers harvested credentials and sensitive data pasted by users into online sites like JSONFormatter and CodeBeautify (Initial Compromise). With these harvested credentials, adversaries accessed cloud services or sensitive internal resources without authorization (Privilege Escalation). Malicious actors potentially used valid credentials to move laterally within cloud environments, accessing additional data stores or systems (Lateral Movement). Adversaries established channels to manage compromised assets and prepare data exfiltration (Command & Control). Sensitive data, including passwords and API keys, was exfiltrated over the internet—possibly over unencrypted channels (Exfiltration). This led to account compromise, further breaches, and risk of business disruption or exposure of critical assets (Impact).
Kill Chain Progression
Initial Compromise
Description
Attackers collected sensitive credentials and data that users pasted into online formatting tools lacking proper security controls.
MITRE ATT&CK® Techniques
Transfer Data to Cloud Account
Unsecured Credentials
Automated Collection
Credentials in Files
Exfiltration Over Web Service
User Execution
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Storage of Sensitive Authentication Data
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 12(1)
CISA Zero Trust Maturity Model 2.0 – Restricting Credential Handling
Control ID: Identity Pillar – User Practices
NIS2 Directive – Cybersecurity Risk-Management and Reporting
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical data exposure risks from developers pasting sensitive credentials into online formatting tools, compromising national security and citizen data protection compliance requirements.
Telecommunications
High vulnerability to credential leaks through code formatting sites, exposing network infrastructure and customer data to potential lateral movement and service disruption attacks.
Utilities
Severe risk from exposed API keys and passwords in critical infrastructure systems, enabling potential attacks on power grids and essential services delivery.
Financial Services
Extensive exposure of banking credentials and financial system access keys through insecure online tools, violating PCI compliance and enabling fraud attacks.
Sources
- Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keyshttps://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.htmlVerified
- Code beautifiers expose credentials from banks, govt, tech orgshttps://www.bleepingcomputer.com/news/security/code-formatters-expose-thousands-of-secrets-from-banks-govt-tech-orgs/Verified
- Popular code formatting sites are exposing credentials and other secretshttps://www.helpnetsecurity.com/2025/11/25/code-formatting-sites-exposing-secrets/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, strong egress policy, and runtime policy enforcement would have significantly reduced risk by limiting unauthorized access, lateral movement, and unmonitored data exfiltration. CNSF controls mapped to credential handling, data-in-transit encryption, and centralized policy visibility can detect, restrict, or prevent each phase of this incident.
Control: Multicloud Visibility & Control
Mitigation: Centralized observability highlights unsafe egress to unsanctioned SaaS tools.
Control: Zero Trust Segmentation
Mitigation: Limits attackers' scope by ensuring access follows least-privilege, identity-based policies.
Control: East-West Traffic Security
Mitigation: Restricts and monitors internal communication to detect and contain unauthorized access attempts.
Control: Threat Detection & Anomaly Response
Mitigation: Detects suspicious remote access or anomalous sessions quickly for incident response.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or intercepts unauthorized data transfers to the public internet.
Enables rapid containment and remediation via distributed enforcement and response controls.
Impact at a Glance
Affected Business Functions
- IT Operations
- Security Management
- Compliance
- Customer Service
Estimated downtime: 7 days
Estimated loss: $5,000,000
The incident led to the exposure of sensitive credentials, including usernames, passwords, API keys, and personal information. This data was accessible through publicly available 'Recent Links' on JSONFormatter and CodeBeautify platforms, affecting organizations across critical sectors such as government, finance, healthcare, and technology.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce centralized egress controls and monitoring to detect and block unsanctioned data sharing with public tools.
- • Implement Zero Trust segmentation and least-privilege policies for all identities and workloads to minimize lateral movement and privilege abuse.
- • Ensure all data in transit is encrypted and monitor for unencrypted flows to external destinations.
- • Deploy continuous anomaly detection and rapid incident response for elevated outbound or unusual cloud service traffic.
- • Educate users on the risks of copying sensitive data into third-party tools and provide secure alternatives within the organization.
