Millions of IP Addresses Expose Sensitive Data via Public .env Files
A major security oversight has exposed over 12 million IP addresses worldwide, leaking sensitive credentials through publicly accessible .env files, according to researchers at Mysterium VPN. The findings, reported by Security Affairs, reveal a critical lapse in operational security practices across organizations.
The exposed files commonly used to store environment variables contained database passwords, API keys, JWT signing secrets, and cloud service tokens. The United States accounted for the largest share of vulnerable IPs (2.8 million), followed by Japan, Germany, India, France, and the UK. The issue stems from misconfigured servers, such as missing deny rules for hidden files, allowing direct access to credentials without requiring exploitation.
Attackers could exploit this exposure to bypass authentication, access databases, forge tokens, or abuse APIs, significantly accelerating breach attempts. The incident underscores a systemic failure in secret management, with organizations often treating configuration as an afterthought rather than a security priority.
Immediate remediation includes removing public access, rotating exposed credentials, and invalidating compromised tokens. Long-term fixes involve automated secret scanning, blocking hidden file access at the server/CDN level, and adopting centralized secret management with audit logs and automated rotation to prevent future breaches.
Source: https://www.scworld.com/brief/mysterium-vpn-12-million-ips-exposed-sensitive-env-files
Mysterium Network cybersecurity rating report: https://www.rankiteo.com/company/mysteriumnet
"id": "MYS1772477433",
"linkid": "mysteriumnet",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global (US: 2.8M, Japan, Germany, India, '
'France, UK)',
'type': 'Organizations with misconfigured servers'}],
'attack_vector': 'Misconfigured Servers',
'data_breach': {'file_types_exposed': '.env files',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials (database passwords, '
'API keys, JWT secrets, cloud '
'tokens)'},
'description': 'A major security oversight has exposed over 12 million IP '
'addresses worldwide, leaking sensitive credentials through '
'publicly accessible .env files. The exposed files contained '
'database passwords, API keys, JWT signing secrets, and cloud '
'service tokens. The issue stems from misconfigured servers, '
'such as missing deny rules for hidden files, allowing direct '
'access to credentials without requiring exploitation.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Database passwords, API keys, JWT signing '
'secrets, cloud service tokens',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized access to databases, '
'APIs, and cloud services',
'systems_affected': 'Servers with misconfigured access rules'},
'lessons_learned': 'Systemic failure in secret management; organizations '
'treat configuration as an afterthought rather than a '
'security priority.',
'post_incident_analysis': {'corrective_actions': 'Immediate: Remove public '
'access, rotate credentials, '
'invalidate tokens. '
'Long-term: Automated secret '
'scanning, centralized '
'secret management.',
'root_causes': 'Misconfigured servers (missing '
'deny rules for hidden files)'},
'recommendations': 'Automated secret scanning, blocking hidden file access at '
'the server/CDN level, adopting centralized secret '
'management with audit logs and automated rotation.',
'references': [{'source': 'Security Affairs'}, {'source': 'Mysterium VPN'}],
'response': {'containment_measures': 'Removing public access to .env files',
'remediation_measures': 'Rotating exposed credentials, '
'invalidating compromised tokens'},
'title': 'Millions of IP Addresses Expose Sensitive Data via Public .env '
'Files',
'type': 'Data Exposure',
'vulnerability_exploited': 'Publicly Accessible .env Files'}