Overview
- WatchTowr scraped unprotected, predictable Recent Links on JSONFormatter and CodeBeautify to collect more than 80,000 saved JSON pastes totaling over 5 GB across years of data.
- The trove included Active Directory and database credentials, cloud access keys, private keys, CI/CD and repository tokens, API keys, SSH session recordings, and large volumes of PII.
- Canarytokens planted as decoy AWS keys were probed 48 hours after upload, demonstrating that third parties are harvesting and testing exposed credentials.
- Notable finds included production AWS credentials tied to a major financial exchange’s Splunk SOAR, bank credentials exposed via an MSSP onboarding email, and sensitive configuration details from a cybersecurity firm.
- JSONFormatter has disabled its Save feature and its Recent Links page is not reachable, CodeBeautify’s Recent Links remain accessible, and many notified organizations have not fully remediated, leaving ongoing risk and suggesting similar tools may leak data.