Over 200K Sensitive Docs Exposed by Online JSON Formatters Over Seven Years

1. Incident Overview

Two security research teams, watchTowr Labs and BeyondMemory, investigated data leakage in online JSON formatting services. watchTowr first reported the issue in November 2025, collecting about 80,000 documents from JSONFormatter.org and CodeBeautify.org. BeyondMemory later expanded the crawl, gathering roughly 200,000 documents spanning a seven‑year period.

2. How the Tools Store Data

Both services allow users to paste raw JSON or code, click “beautify”, and optionally click “save”. When saved, the content receives a six‑character hexadecimal ID and is served at a public URL such as https://jsonformatter.org/{id} or https://codebeautify.org/{formatter-type}/{id}. The “Recent Links” page lists all saved entries, and the URLs are predictable and require no authentication; anyone who knows the URL can retrieve the original data.

3. Scale and Types of Exposed Information

BeyondMemory’s detailed report lists at least 1,078 documents with high‑confidence sensitive credentials (live keys, usernames/passwords, API keys, connection strings) and another 2,167 documents with medium confidence. The leaked data spans many sectors, including government, telecom, critical infrastructure, finance, insurance, healthcare, education, tourism, and even the cybersecurity industry itself.

The leaked credential types include:

Cloud environment keys (AWS, Azure, Alibaba Cloud)

SSH private keys

API keys for payment gateways, SMS, maps, etc.

Database connection strings with usernames/passwords

Active Directory administrator accounts

Complete tax filings containing SSNs

Bank statements with balances and transaction records

KYC customer information

Jenkins build credentials

Turkish personal data (TCKN, IBAN)

4. Low Attack Barrier

An experiment by watchTowr uploaded a fabricated AWS access key to one of the tools and observed that within 48 hours an attacker attempted to use it. This demonstrates two facts: attackers actively crawl these services, and the harvested data is immediately weaponized.

BeyondMemory also discovered that the sites themselves host stored XSS vulnerabilities, turning the data‑collection platform into a “hole‑filled basket”.

5. Warning for Developers

The report stresses that many developers worldwide habitually paste production‑level debugging data into online tools for convenience, assuming the data is only used for formatting. This complacency has resulted in cloud keys, tax records, and bank details being publicly exposed after years of unnoticed collection.

With the rise of AI coding assistants (e.g., Tongyi Code, Wenxin Yiyan, GitHub Copilot), similar paste‑and‑leak scenarios may emerge in the future.

6. Mitigation Recommendations

Never process production data with online services; use local tools such as python -m json.tool or built‑in OS utilities.

Prefer trusted offline tools; if an online tool must be used, verify it does not store data.

Incorporate this incident into security training and promote secure coding practices.

Immediately rotate any keys that may have been pasted to online formatters.

7. Conclusion

The data collection effort required almost no effort from attackers yet yielded high‑value secrets. Red teams can easily harvest such data, while blue teams must urgently audit their own usage of online formatting tools and rotate any potentially compromised credentials.