Cloud tools JSONFormatter and CodeBeautify quietly leaked thousands of passwords and API keys over several years.

According to the cybersecurity company watchTowr Labs, new research shows that organizations in sensitive sectors like the government, telecommunications, and critical infrastructure are using online tools like JSONFormatter and CodeBeautify for formatting and validating code. Additionally, as a result of this research, watchTowr Labs collected a dataset of over 80,000 files from these two sites that had thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, FTP credentials, cloud environment keys, LDAP configuration information, helpdesk API keys, meeting room API keys, SSH session recordings, and a variety of other personal data from individuals who have pasted their credentials into the sites.

Additionally, in total, these files contain approximately five years' worth of JSONFormatter content and one year of CodeBeautify content, which equates to over 5GB of enriched, annotated JSON data.

Affected organizations include those in the sectors of critical national infrastructure, government, finance, insurance, banking, technology, retail, aviation, telecommunications, healthcare, education, travel, and cyber security.

Security researcher Jake Knott stated in a report given to The Hacker News that because these online tools are so widely used, they often rank high on search engines when searching for terms like "JSON beautify" and "best place to paste secrets (therefore, unproven)." Thus, these tools are used by many different types of organizations, individuals, developers, and administrators in enterprise settings and for personal projects.

Both the JSON Formatter and Code Beautify (BEAUTIFY) tools provide a way to save and share formatted JSON structures and/or code as persistent URLs.

In addition to having a list of recently saved links accessible from their respective "recent links" pages, these tools also have a well-defined URL format, which makes it easy for a malicious person with access to a simple crawler to find and scavenge all JSON URLs saved on them.

Some examples of data exposed through these services are your Jenkins secrets, a cybersecurity company leaking encrypted credentials for sensitive configuration files to another company, know-your-customer (KYC) data related to your financial institution, with AWS credentials connected to Splunk from a major exchange, and an Active Directory password for a bank.

Another incident involves the company testing its own "fake" AWS access keys on one of these services, and after 48 hours, noticed others attempted to exploit those keys. That leads to the conclusion that data from these services is being captured and attempted for nefarious use, which results in significant exposure risks for a considerable amount of sensitive data.

"Slowing down the stupid", was the phrase used by Knott to describe his thoughts on the misuse of agentic platforms. "The point of creating AI driven agentic solutions is to be able to locate the best use of that data, not just giving a login and password away to anyone who can provide you with an anonymous login screen."

JSONFormatter and CodeBeautify have each taken the action of "stopping the save option", which they state is to make it more secure and prevent more unwanted NSFW (Image) content from being uploaded onto their sites.

This disabling of save capabilities, according to watchTowr, may have been "in response to our notice", but they believe that the solving of the issues "started from many of the companies contacted" and should have come "at some point" in September.