Cybersecurity firm watchTowr Labs said it captured a dataset of more than 80,000 files from online code-formatting services JSONFormatter and CodeBeautify that contained thousands of usernames, passwords, authentication keys and other sensitive records.
The collection, which watchTowr described as enriched, annotated JSON data, included repository authentication keys, Active Directory credentials, database and FTP credentials, cloud environment keys, LDAP configuration information, API keys for helpdesk and meeting room systems, SSH session recordings and personal information, and comprised five years of JSONFormatter content and one year of CodeBeautify content totaling more than 5GB.
Items cited by the researchers included Jenkins secrets, encrypted configuration credentials from a cybersecurity company, Know Your Customer information tied to a bank, a financial exchange’s AWS credentials connected to Splunk, and Active Directory credentials for a banking customer.
Both services offer the ability to save formatted structures and produce shareable links, and each provides a recent-links listing – for example a handy Recent Links page – a combination the researchers said makes it feasible for third parties to discover and scrape exposed content.
WatchTowr reported that after it uploaded fake AWS access keys to one of the tools, other parties attempted to use those keys within 48 hours, which the researchers said indicates ongoing scraping and abuse. Researcher Jake Knott said the tools are widely used and warned organisations against pasting credentials into random websites.
Both JSONFormatter and CodeBeautify had temporarily disabled the save function and said they were working to improve the feature and implement enhanced NSFW content prevention measures; watchTowr said it believes the change occurred in September after affected organisations were alerted.