Security researchers have discovered a widespread data exposure issue affecting numerous online code formatting and beautifying websites. These platforms, commonly used by software developers to improve code readability, were found to be storing and publicly exposing code snippets submitted by users, leading to the leakage of sensitive corporate and personal information.

The investigation, conducted by cybersecurity firm CloudSEK, identified more than 30 of these online tools that automatically save user-pasted code as publicly accessible documents. These saved pages, often called “pastes,” were assigned unique URLs and were being indexed by major search engines, making the exposed data discoverable by anyone.

How Sensitive Data Was Exposed

The core of the issue lies in the operational design of these websites. Instead of processing the code ephemerally in the user’s browser or on a temporary server-side instance, the services retain a copy of the submitted code. This retained code was then published on a public URL without any authentication or access controls. Developers using these tools for convenience were often unaware that their code, containing sensitive information, was being made permanently public.

Credentials, Tokens, and Business Logic Leaked

The analysis of the publicly available data revealed a significant amount of exposed secrets. Researchers found hardcoded credentials, including AWS access keys, GitHub access tokens, database connection strings for MongoDB and MySQL, and FTP credentials. Beyond credentials, the exposed code also contained API keys for various third-party services, server IP addresses, and, in some cases, extensive blocks of proprietary business logic. To demonstrate the active threat, researchers planted a fake AWS key into one of the vulnerable sites. Within 30 minutes, they observed automated scanning activity attempting to leverage the exposed key, confirming that threat actors actively monitor these sites for valuable credentials.