Widespread Data Exposure from Popular Developer Tools

Two widely-used online utilities for developers, JSONFormatter.org and CodeBeautify.org, have been found to have exposed years of user-submitted data. The leaked information includes highly sensitive credentials such as passwords, API keys, authentication tokens, and personally identifiable information (PII). The exposure occurred because the tools saved user data to publicly accessible URLs without any form of authentication, which were subsequently indexed by search engines.

The security issue was discovered and reported by a security researcher known as “th3g3nt3lman”. The researcher found that anyone with the direct URL could view the data pasted into the tools by previous users. This long-term exposure affected a vast amount of data submitted by developers and IT professionals who used the sites for formatting and validating code snippets and configuration files.

Details of the Exposed Data

The investigation revealed a significant volume of sensitive information had been made public. For CodeBeautify.org, the researcher identified over 100,000 unique URLs containing user data, with some records dating back to at least 2016. The exposed data included Amazon Web Services (AWS) access keys, server login credentials for SSH and FTP, database passwords, and private keys for security certificates.

Similarly, the data leak from JSONFormatter.org was substantial. While over three million records were found, many were duplicates or test entries. However, the researcher confirmed that tens of thousands of these records contained sensitive data, with public pastes dating as far back as 2013. Exposed information included Google API keys, authentication tokens for various services, and PII such as usernames, email addresses, and phone numbers. Upon being notified of the vulnerability, the owners of both websites took action to secure the publicly accessible data.

Source: https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html