Leaked Secrets Found in Online Code Formatters Expose Critical Systems

watchTowr Labs’ latest research shows that thousands of highly sensitive credentials and secrets are exposed in public online tools like JSONFormatter.org and CodeBeautify.org, where users paste configuration snippets and then save shareable links. By crawling "recent links" pages and fetching saved content, researchers recovered more than 80,000 JSON uploads over five years, uncovering Active Directory credentials, database keys, cloud access tokens, API keys, private keys, and even complete exports from AWS Secrets Manager, mapped to MITRE ATT&CK T1552 (Unsecured Credentials) and T1081 (Credentials in Files). The dataset included secrets belonging to critical national infrastructure, government agencies, banks, insurers, technology firms, and cybersecurity vendors. In some cases, researchers found Jenkins credentials.xml exports, Splunk SOAR automation AWS credentials for a major stock exchange, and onboarding emails from a managed security service provider that contained full login details for a large banking client. Many of these secrets were saved as public links on third-party sites that make clear the data is shareable, yet users appeared to misunderstand or ignore the risk. This pattern illustrates a systemic supply-chain and insider-like risk driven by convenience: engineers, administrators, and MSSP staff paste raw configuration and credential material into online "helper" tools to debug or pretty-print JSON and then click save to share with colleagues. Attackers, or even low-resourced adversaries, can replicate watchTowr’s methodology to harvest credentials at scale without exploiting any software vulnerability, then reuse those secrets to access VPNs, cloud consoles, CI/CD systems, and production databases. Regulatory risk is also significant where leaked data includes PII or KYC information from banks and regulated entities. Mitigation requires immediate hygiene measures and long-term cultural change. Organizations should ban the use of unvetted online tools for handling secrets or production data, provide vetted internal alternatives, and run periodic internet-wide exposure checks for their own domains and IP ranges. Security teams should rotate credentials identified in the research (where notified), deploy secret-scanning in source control and CI pipelines, and reinforce policy that usernames, passwords, keys, and customer data must never be pasted into public websites. Longer term, treating secrets management as a core discipline with dedicated tooling and training will reduce the temptation to use risky shortcuts.