Researchers have uncovered a significant security issue involving popular online code beautifiers, where sensitive credentials and configuration data have been publicly exposed for years. Platforms such as JSONFormatter and CodeBeautify allow users to format and share code, but their public link systems have left high risk data accessible to anyone who knows where to look.
According to the investigation, more than 80,000 user pastes totaling over 5GB were available through unprotected Recent Links pages. These pages store user submissions that were saved for temporary sharing, but the links were never restricted or hidden. Anyone could browse the content simply by loading predictable URLs or using basic automated crawlers.
The exposed data includes credentials and internal information from banks, government agencies, critical infrastructure operators, technology firms, healthcare providers, educational institutions, and cybersecurity companies. Researchers described the scope of the leak as both widespread and severe, warning that many organizations appear unaware that their data was made public this way.
How the exposure happened
Both code beautifiers allow users to paste raw code and format it for readability. When users click the save button, the platform generates a unique link that preserves the formatted output on the server. These links are organized under a Recent Links section that is openly accessible and follows a predictable pattern. No authentication is required, and no privacy protections are applied to user-submitted content.
The researchers were able to scrape five years of JSONFormatter data and one year of CodeBeautify data through these public pages. By retrieving content through the platforms’ getDataFromID API endpoints, they were able to gather thousands of files containing sensitive information.
Among the exposed data were:
- Active Directory credentials
- Database and cloud service credentials
- Private keys and certificate passwords
- API tokens and repository access keys
- SSH session recordings
- Payment gateway secrets
- KYC information and other forms of PII
One example involved a cybersecurity company whose exposed snippet contained encrypted credentials for an internal configuration file, SSL certificate passwords, hostnames, IP addresses, and file paths. Another case involved a government entity whose script revealed internal endpoints, configuration values, and registry key settings even though no hardcoded credentials were present.
A financial exchange was shown to have exposed valid production AWS credentials tied to its Splunk SOAR system. A managed security service provider leaked Active Directory credentials and internal access information for a major banking client.
Evidence of active scanning
To determine whether attackers were already harvesting data from these public pages, the researchers planted Canarytokens to simulate real AWS access keys. They submitted the fake credentials through the save function in both beautifiers. Although the links were set to expire after 24 hours, the honeypot system recorded attempts to use the fake keys 48 hours after upload.
This indicates that threat actors or automated scanning tools are already monitoring these services and attempting to exploit exposed secrets.
Slow remediation and ongoing exposure
The researchers contacted numerous affected companies, but many did not respond or have not yet resolved the underlying issues. At the time of the report, the Recent Links sections on both platforms remained publicly accessible, allowing anyone to scrape newly saved data at any time.
The findings highlight a recurring problem in online development tools. Users may unknowingly share sensitive information when pasting configuration files, scripts, or logs into public web tools that do not clearly warn about storage or sharing practices. The issue becomes more serious when these tools store content indefinitely in locations that can be indexed or guessed by automated crawlers.
Security experts recommend that organizations monitor for leaked credentials using scanning tools, rotate exposed keys immediately, and avoid using public code formatting services for sensitive content. Services such as Canarytokens allow teams to detect unauthorized access attempts and determine if exposed data is being targeted.
The exposure remains active, and any organization that has used these platforms to format internal configuration files should assume that the content may be publicly reachable. Until the affected code beautifiers change their storage practices or restrict access, newly saved code may continue to expose credentials that put major institutions at risk.
