Watch out coders - top code formatting sites are apparently exposing huge amounts of user data

1. Pro
2. Security

Watch out coders - top code formatting sites are apparently exposing huge amounts of user data News By Sead Fadilpašić published 26 November 2025

People are willingly uploading secrets to JSONFormatter and CodeBeautify

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Image Credit: Pixabay (Image credit: Geralt / Pixabay)

• WatchTowr found JSONFormatter and CodeBeautify exposing sensitive data via unprotected “Recent Links” features
• Researchers pulled years of raw data, uncovering credentials, private keys, API tokens, and PII from critical industries
• Criminals are already probing the flaw, highlighting risks of uploading sensitive code to public formatting sites

Some of the top code formatting sites are exposing sensitive and identifiable information which could put countless organizations, including government and critical infrastructure ones, at risk, experts have warned.

Cybersecurity researchers WatchTowr analyzed JSONFormatter and CodeBeautify, services where users can submit code, or data (most commonly JSON), to format, validate, and "beautify" to make it easier to read and debug.

• Amazon Black Friday deals are live: here are our picks!

The experts say these two sites have a feature called Recent Links, which automatically lists the last files, or URLs, that were formatted or analyzed on the platform. This feature is not protected in any way, and follows a predictable URL format that can be leveraged with crawlers.

You may like

• Nearly 180k records exposed in billing platform breach - here’s what we know
• Leading AI companies keep leaking their own information on GitHub
• How DevOps tools are opening the gates for high-profile cyberattacks

$60 offSave 75%Aura Family: was US$80 now US$20 at Aura Inc

Aura can protect your family with a plethora of features: Password Manager, ID theft protection, Antivirus, VPN, Parental Control and much more for just $20 per month!

View Deal

A warning to users

Given the lax security and a structured URL format, WatchTowr’s researchers managed to pull five years of JSONFormatter raw data, and a full year of CodeBeautify data.

In the data, they found all sorts of sensitive information: Active Directory credentials, database and cloud credentials, private keys, code repository tokens, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, PII and KYC information, and more.

The companies willingly and unknowingly sharing this information work in government, critical infrastructure, finance, aerospace, healthcare, cybersecurity, telecommunication, and other industries.

WatchTowr also said that even without sensitive data, the information in the code is valuable, since it often contains details about internal endpoints, IIS configuration values and properties, and hardening configurations with corresponding registry keys. Such information can help malicious actors craft targeted intrusions, bypass security controls, or exploit misconfigurations.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

The researchers also said that some criminals are already abusing this vulnerability. They added fake AWS keys to the platforms, and set them to “expire” in 24 hours, but someone tried to use them 48 hours later.

"More interestingly, they were tested 48 hours after our initial upload and save (for those mathematically challenged, this is 24 hours after the link had expired and the 'saved' content was removed)," watchTowr concluded, urging users to be careful what they’re uploading.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Nearly 180k records exposed in billing platform breach - here’s what we know    Leading AI companies keep leaking their own information on GitHub    How DevOps tools are opening the gates for high-profile cyberattacks    JSON services hijacked by North Korean hackers to send out malware    Dangerous npm packages are targeting developer credentials on Windows, Linux and Mac - here's what we know    Claude can be tricked into sending your private company data to hackers - all it takes is some kind words    Latest in Security Harvard University reveals data breach hitting alumni and donors    Hackers impersonate TechCrunch reporters to steal sensitive information - but you can always trust us    Black Friday shopping scams are on the rise - experts warn many new domains could be dodgy, here's what to look for    Windows Server flaw targeted by hackers to spread malware - here's what we know    Cox Enterprises hit by Oracle data breach - but it won't name who carried out the attack    Iberia tells customers it was hit by a major security breach    Latest in News What's coming with the Meta Quest 4? We now have more of an idea    Struggling with high storage costs? Time to get deleting, as study finds up to 50% of data could be unused    Google Messages could be getting 3 useful upgrades soon – including a Gemini change    Businesses are struggling to implement "responsible AI" - but it could make all the difference    Garmin posted a teaser for a new wearable 'coming soon' – then deleted it    HBO Max debuts Lanterns' first teaser at behind-closed-doors event    LATEST ARTICLES

1. 1Fresh Meta Quest 4 rumors hint at specs, pricing, a more lightweight design – and even a new name
2. 2The best student laptops in 2025: our top tested choices for college and school
3. 3We tested the malware blocking capabilities of your favorite VPNs – here’s the best that you can save on right now
4. 4Watch out coders - top code formatting sites are apparently exposing huge amounts of user data
5. 5Google Messages could be getting 3 useful upgrades soon – including a Gemini change