A new investigation has uncovered that sensitive credentials from governments, telecoms, financial institutions, and critical infrastructure have been unintentionally exposed through popular online code formatting tools such as JSONFormatter and CodeBeautify. These websites, commonly used to validate or beautify JSON and other code snippets, have become unintended repositories of private information due to users pasting sensitive configurations into them.
Research by watchTowr Labs revealed a dataset of more than eighty thousand files collected from these services. The leaked information included usernames, passwords, repository access tokens, Active Directory login details, database and FTP credentials, cloud environment keys, LDAP configuration data, helpdesk API keys, meeting room API keys, SSH session recordings, and significant amounts of personal information.
The dataset contained five years of historical JSONFormatter material and one year of CodeBeautify content, representing more than five gigabytes of enriched and annotated JSON data. The exposure affects organizations across sectors such as national infrastructure, government, banking, finance, insurance, technology, retail, aerospace, telecommunications, healthcare, education, travel, and even cybersecurity.
Security researcher Jake Knott noted that these tools frequently appear at the top of search results for queries like JSON beautification or code formatting. This visibility encourages widespread use by developers, administrators, and individuals working on both enterprise and personal projects.
Both platforms allow users to save formatted data, generating shareable semi permanent links. Anyone with access to these URLs can retrieve the content. The sites also offer a Recent Links page and rely on predictable URL patterns, enabling attackers to scrape large volumes of exposed data through automated crawling techniques.
Examples of leaked items include Jenkins configuration secrets, encrypted credentials from a cybersecurity company, Know Your Customer data linked to a financial institution, AWS access keys belonging to a major financial exchange’s Splunk environment, and Active Directory credentials associated with a bank.
watchTowr Labs also tested how quickly malicious actors scan for these leaks. The company uploaded fake AWS keys to one of the tools, and within forty eight hours, unknown parties attempted to use them. This shows that threat actors actively monitor these platforms for exposed credentials.
Knott warned that the misuse of these online formatting tools has created unnecessary risk, stating that organizations urgently need to stop pasting confidential information into random websites.
When contacted, both JSONFormatter and CodeBeautify confirmed that they have temporarily disabled the save feature, stating that they are improving platform security and adding stricter NSFW content controls. watchTowr believes the change was introduced in September following notifications to affected organizations.
