JSONFormatter, a widely used online tool for formatting, validating, and debugging JSON data, was found exposing highly sensitive information through its unprotected Recent Links feature. Researchers from WatchTowr extracted five years of raw data from the platform, uncovering a trove of critical assets: Active Directory credentials, cloud/database credentials, private keys, API tokens, SSH session recordings, PII (Personally Identifiable Information), KYC (Know Your Customer) data, CI/CD secrets, and payment gateway keys. The exposed data originated from government agencies, critical infrastructure (aerospace, healthcare, energy), finance, cybersecurity firms, and telecom providers, among others. Beyond direct credential leaks, the exposed code often included internal endpoint details, IIS configurations, and system hardening settings, enabling attackers to craft targeted intrusions, bypass security controls, or exploit misconfigurations. Criminals were already observed actively probing the flaw, attempting to use expired fake AWS keys uploaded as bait—proving immediate exploitation risks. The incident highlights severe risks of uploading sensitive code to public tools without proper safeguards, potentially enabling large-scale breaches, identity theft, financial fraud, or supply-chain attacks across high-value sectors.
The Hacker News cybersecurity rating report: https://www.rankiteo.com/company/thehackernews
"id": "THE1841518112625",
"linkid": "thehackernews",
"type": "Breach",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Multiple (including government, '
'critical infrastructure, '
'finance, aerospace, healthcare, '
'cybersecurity, '
'telecommunications)',
'industry': 'Software Development',
'name': 'JSONFormatter',
'type': 'Online Tool/Service'},
{'customers_affected': 'Multiple (including government, '
'critical infrastructure, '
'finance, aerospace, healthcare, '
'cybersecurity, '
'telecommunications)',
'industry': 'Software Development',
'name': 'CodeBeautify',
'type': 'Online Tool/Service'},
{'industry': ['Government',
'Critical Infrastructure',
'Finance',
'Aerospace',
'Healthcare',
'Cybersecurity',
'Telecommunications'],
'location': 'Global',
'name': 'Unspecified Organizations in Critical Sectors',
'type': ['Government Agencies',
'Critical Infrastructure',
'Financial Institutions',
'Aerospace Companies',
'Healthcare Providers',
'Cybersecurity Firms',
'Telecommunication Companies']}],
'attack_vector': ['Unprotected Public Feature',
'Predictable URL Structure',
'Lack of Access Controls'],
'customer_advisories': ['Avoid uploading sensitive data to '
'JSONFormatter/CodeBeautify',
'Review historical usage of these tools for potential '
'exposures'],
'data_breach': {'data_exfiltration': "Yes (via automated scraping of 'Recent "
"Links' feature)",
'file_types_exposed': ['JSON',
'Code Snippets',
'Configuration Files'],
'personally_identifiable_information': 'Yes (PII and KYC data '
'exposed)',
'sensitivity_of_data': 'High (Includes authentication '
'credentials, financial data, and PII)',
'type_of_data_compromised': ['Credentials (Active Directory, '
'database, cloud)',
'Private Keys',
'API Tokens',
'CI/CD Secrets',
'Payment Gateway Keys',
'SSH Session Recordings',
'PII (Personally Identifiable '
'Information)',
'KYC (Know Your Customer) '
'Information',
'Internal Endpoints',
'IIS Configuration Values',
'Hardening Configurations',
'Registry Keys']},
'description': 'Researchers from WatchTowr discovered that JSONFormatter and '
'CodeBeautify, popular code formatting sites, were exposing '
"sensitive data through unprotected 'Recent Links' features. "
'The flaw allowed unauthorized access to years of raw data, '
'including credentials, private keys, API tokens, and '
'personally identifiable information (PII) from critical '
'industries like government, finance, aerospace, healthcare, '
'and telecommunications. Criminals are already probing the '
'vulnerability, posing significant risks to organizations that '
'upload sensitive code to these public platforms.',
'impact': {'brand_reputation_impact': 'High (Trust erosion in code formatting '
'platforms, especially for critical '
'industries)',
'data_compromised': ['Active Directory credentials',
'Database and cloud credentials',
'Private keys',
'Code repository tokens',
'CI/CD secrets',
'Payment gateway keys',
'API tokens',
'SSH session recordings',
'PII (Personally Identifiable Information)',
'KYC (Know Your Customer) information',
'Internal endpoints',
'IIS configuration values',
'Hardening configurations',
'Registry keys'],
'identity_theft_risk': 'High (Exposure of PII and KYC data)',
'operational_impact': 'High (Potential for targeted intrusions, '
'security bypasses, and exploitation of '
'misconfigurations by malicious actors)',
'payment_information_risk': 'High (Exposure of payment gateway '
'keys and financial credentials)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (evidenced by '
'criminal probing of '
'uploaded fake AWS keys)',
'entry_point': "Unprotected 'Recent Links' feature "
'on JSONFormatter and CodeBeautify',
'high_value_targets': ['Government agencies',
'Critical infrastructure',
'Financial institutions',
'Aerospace companies',
'Healthcare providers',
'Cybersecurity firms',
'Telecommunication '
'companies'],
'reconnaissance_period': 'Ongoing (at least 5 years '
'for JSONFormatter, 1 year '
'for CodeBeautify)'},
'investigation_status': 'Disclosed by WatchTowr; no official resolution or '
'patch confirmed',
'lessons_learned': ["Public-facing tools with 'Recent Links' or similar "
'features must implement access controls and '
'authentication.',
'Sensitive data should never be uploaded to public code '
'formatting or validation tools, even temporarily.',
'Predictable URL structures in public services can be '
'exploited for mass data harvesting.',
'Organizations in critical sectors must audit third-party '
'tools for data exposure risks.',
'Criminals actively monitor public platforms for exposed '
'credentials and secrets.'],
'motivation': ['Data Theft',
'Reconnaissance for Targeted Attacks',
'Exploitation of Misconfigurations'],
'post_incident_analysis': {'corrective_actions': ['Implement authentication '
"for 'Recent Links' or "
'similar features',
'Randomize URLs and enforce '
'short expiration times',
'Add rate-limiting to '
'prevent mass scraping',
'Educate users on safe '
'practices for code '
'formatting tools',
'Conduct third-party '
'security audits for '
'public-facing services'],
'root_causes': ['Lack of access controls on '
"'Recent Links' feature",
'Predictable URL structure '
'enabling automated scraping',
'No authentication required to '
'view historical data',
'User unaware of risks when '
'uploading sensitive data to '
'public tools']},
'recommendations': ["Disable or secure 'Recent Links' features with "
'authentication and rate-limiting.',
'Implement short-lived, randomized URLs for shared '
'content to prevent scraping.',
'Educate developers and employees on the risks of '
'uploading sensitive data to public tools.',
'Use dedicated, air-gapped tools for formatting or '
'validating sensitive code/data.',
'Monitor dark web and criminal forums for exposed '
'credentials linked to your organization.',
'Conduct regular audits of third-party services for data '
'leakage risks.'],
'references': [{'source': 'TechRadar',
'url': 'https://www.techradar.com/news/watchtowr-found-jsonformatter-and-codebeautify-exposing-sensitive-data-via-unprotected-recent-links-features'},
{'source': 'WatchTowr Research'}],
'response': {'communication_strategy': ['Public Disclosure via TechRadar',
'Researcher Advisory'],
'remediation_measures': ['Public Warning by WatchTowr',
'Advisory for Users to Avoid Uploading '
'Sensitive Data']},
'stakeholder_advisories': ['WatchTowr public warning', 'TechRadar article'],
'threat_actor': ['Opportunistic Criminals', 'Data Harvesters'],
'title': 'JSONFormatter and CodeBeautify Exposing Sensitive Data via '
"Unprotected 'Recent Links' Features",
'type': ['Data Exposure', 'Information Disclosure', 'Misconfiguration'],
'vulnerability_exploited': "Unprotected 'Recent Links' feature with "
'predictable URL format, enabling unauthorized '
'data scraping via crawlers'}