A major international stock exchange inadvertently exposed production AWS credentials for its Splunk SOAR (Security Orchestration, Automation, and Response) system via an online code formatting tool (JSONFormatter/CodeBeautify). The credentials were saved in a publicly accessible shareable link, making them permanently searchable and exploitable by threat actors. This exposure risks compromising the exchange’s incident response capabilities, potentially allowing attackers to disrupt automated security operations, manipulate threat detection, or escalate privileges within the financial infrastructure.Researchers confirmed that such credentials are actively harvested by unknown actors, with unauthorized access attempts detected even after link expiration. The breach highlights systemic negligence in handling sensitive automation keys, which could enable financial fraud, market manipulation, or large-scale operational disruptions. Given the stock exchange’s role in global finance, the incident poses severe reputational damage and regulatory scrutiny, while also serving as a high-value target for state-sponsored or financially motivated cybercriminals.
Source: https://cyberpress.org/developers-leak-passwords-and-api-keys/
Texas Stock Exchange | TXSE Group Inc cybersecurity rating report: https://www.rankiteo.com/company/txse
"id": "TXS1393413112625",
"linkid": "txse",
"type": "Breach",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Finance',
'name': 'Major International Stock Exchange',
'type': 'Financial Institution'},
{'customers_affected': ['U.S. Bank (Largest Client)'],
'industry': 'Cybersecurity',
'location': 'United States (Client: U.S. Bank)',
'name': 'Unnamed MSSP (Managed Security Service '
'Provider)',
'type': 'Cybersecurity Firm'},
{'industry': 'Government',
'name': 'Government Agencies (Multiple)',
'type': 'Public Sector'},
{'industry': 'Cybersecurity',
'name': 'Cybersecurity Vendors (Multiple)',
'type': 'Private Sector'},
{'industry': 'Finance',
'name': 'Financial Institutions (Multiple)',
'type': 'Private Sector'},
{'industry': 'Healthcare',
'name': 'Healthcare Organizations (Multiple)',
'type': ['Private Sector', 'Public Sector']},
{'industry': 'Professional Services',
'name': 'Consulting Firms (Multiple)',
'type': 'Private Sector'}],
'attack_vector': ['Human Error',
'Publicly Accessible Shareable Links',
'Lack of Access Controls'],
'customer_advisories': ['Recommended Credential Rotation',
'Incident Disclosure (Where Applicable)'],
'data_breach': {'data_encryption': ['Not Applicable (Plaintext Exposure)'],
'data_exfiltration': ['Confirmed (Harvesting by Unknown '
'Actors)'],
'file_types_exposed': ['JSON',
'Configuration Files',
'Log Files',
'Emails'],
'number_of_records_exposed': 'Thousands (across 80,000+ '
'submissions)',
'personally_identifiable_information': ['KYC Data (Customer '
'Personal '
'Information)'],
'sensitivity_of_data': ['High (Critical Infrastructure '
'Credentials)',
'PII (KYC Data)'],
'type_of_data_compromised': ['Credentials',
'API Keys',
'Configuration Files',
'KYC Data (PII)',
'Production System Credentials']},
'description': 'Developers are inadvertently exposing sensitive credentials, '
'API keys, and passwords by using popular online code '
'formatting tools (JSONFormatter and CodeBeautify). WatchTowr '
'Labs discovered over 80,000 publicly accessible submissions '
'containing thousands of leaked secrets across finance, '
'government, healthcare, and cybersecurity sectors. The '
"vulnerability stems from the platforms' 'SAVE' feature, which "
'makes shared links permanently accessible. Researchers '
'confirmed that credentials are actively harvested by unknown '
'actors, with unauthorized access attempts detected even after '
'link expiry. Affected data includes AWS keys, Active '
'Directory credentials, KYC data, and more.',
'impact': {'brand_reputation_impact': ['High (Critical Sectors Affected)',
'Loss of Trust in Security Practices'],
'data_compromised': ['API Keys',
'AWS Credentials',
'Active Directory Credentials',
'Database Passwords',
'SSH Private Keys',
'Docker Credentials',
'KYC Data (Personal Information)',
'Production AWS Credentials (Splunk SOAR)',
'Onboarding Emails (MSSP & U.S. Bank)'],
'identity_theft_risk': ['High (KYC Data Exposure)',
'Credential Stuffing Risks'],
'legal_liabilities': ['Potential GDPR/CCPA Violations (KYC Data '
'Exposure)',
'Regulatory Scrutiny for '
'Financial/Government Sectors'],
'operational_impact': ['Potential Compromise of Incident Response '
'Capabilities (Stock Exchange)',
'Unauthorized Access Risks to Critical '
'Infrastructure',
'Reputation Damage to Affected '
'Organizations'],
'systems_affected': ['Splunk SOAR Automation (Major International '
'Stock Exchange)',
'Active Directory (MSSP & U.S. Bank)',
'Unknown Systems (Government, Cybersecurity, '
'Financial Sectors)']},
'initial_access_broker': {'data_sold_on_dark_web': ['Likely (Given Active '
'Harvesting)'],
'entry_point': ["Publicly Accessible 'Recent Links' "
'Pages on '
'JSONFormatter/CodeBeautify'],
'high_value_targets': ['AWS Credentials (Stock '
'Exchange Splunk SOAR)',
'Active Directory (MSSP & '
'U.S. Bank)',
'KYC Data '
'(Financial/Healthcare)'],
'reconnaissance_period': ['Up to 5 Years '
'(JSONFormatter)',
'1 Year (CodeBeautify)']},
'investigation_status': 'Ongoing (Active Harvesting Confirmed)',
'lessons_learned': ['Public code formatting tools pose significant risks for '
'credential exposure.',
'Developers lack awareness of permanent accessibility of '
"'saved' links.",
'Critical sectors are equally vulnerable to '
'human-error-driven leaks.',
'Attackers actively monitor these platforms for fresh '
'credentials.'],
'motivation': ['Financial Gain', 'Espionage', 'Opportunistic Exploitation'],
'post_incident_analysis': {'corrective_actions': ['Blocklist Public Code '
'Formatting Tools',
'Deploy Enterprise-Grade '
'Secret Management',
'Enforce Least Privilege '
'for Credentials',
'Implement Real-Time '
'Monitoring for Credential '
'Exposure'],
'root_causes': ['Lack of Developer Awareness',
'Poor Platform Design (Permanent '
'URLs)',
'Absence of Corporate Policies on '
'Code Formatting Tools',
'No Secret Scanning in '
'Collaboration Workflows']},
'recommendations': ['Prohibit use of public code formatting tools for '
'sensitive data.',
'Mandate local/private alternatives (e.g., VS Code '
'plugins, internal tools).',
'Implement automated secret scanning in repositories and '
'emails.',
'Conduct audits for historical exposure on these '
'platforms.',
'Train developers on secure handling of credentials/API '
'keys.',
'Monitor for unauthorized access using exposed secrets '
'(e.g., canary tokens).'],
'references': [{'source': 'watchTowr Labs Research'},
{'source': 'NCSC UK Advisory'},
{'source': 'CISA Coordination'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (EU)',
'Potential CCPA '
'(California)',
'Sector-Specific '
'Regulations '
'(Finance/Government)'],
'regulatory_notifications': ['Coordinated with NCSC '
'UK, CISA, and '
'International CERTs']},
'response': {'communication_strategy': ['Public Advisory via watchTowr Labs',
'CERT Notifications'],
'containment_measures': ['Revoke Exposed Credentials '
'(Recommended)',
'Disable Compromised API Keys '
'(Recommended)'],
'enhanced_monitoring': ['Monitor for Unauthorized Access '
'Attempts Using Exposed Credentials'],
'incident_response_plan_activated': ['Coordinated Disclosure '
'with CERTs (NCSC UK, CISA, '
'etc.)'],
'remediation_measures': ['Audit Historical Usage of Code '
'Formatting Tools',
'Implement Detective Controls for '
'Secret Exposure',
'Block Access to Public Code Formatting '
'Tools (Corporate Policy)'],
'third_party_assistance': ['watchTowr Labs (Research & '
'Disclosure)']},
'stakeholder_advisories': ['CERT Notifications',
'Sector-Specific Warnings (Finance/Government)'],
'threat_actor': ['Unknown Actors',
'Opportunistic Attackers',
'Credential Harvesters'],
'title': 'Mass Exposure of Sensitive Credentials via Online Code Formatting '
'Tools',
'type': ['Data Leak', 'Credential Exposure', 'Misconfiguration'],
'vulnerability_exploited': ["Design Flaw in 'SAVE' Feature",
"Publicly Indexed 'Recent Links' Pages",
'Permanent URL Accessibility']}