Beware of Storing Your Passwords on Random Websites

Welcome to another episode of watchTowr versus the Internet.

That sinking feeling you’re experiencing? That’s dread, and honestly, you should be used to it by now. We’ve repeatedly uncovered massive leaks of sensitive passwords, keys, and secrets on public platforms—each time, questioning if we could somehow turn back the clock. Remember, these problems aren’t just yours—they’re a shared responsibility ™.

Our past online disasters include exposing 8 million requests that made the SolarWinds attack look minor, gaining access to TLS/SSL certificates for abandoned domains, and hijacking domains to breach government networks. Despite our failures and lessons learned, we’re still making those same mistakes.

Today, we’re dragging you back into that mess. While many highlight AI as the looming threat, our favorite MSSP (Managed Security Service Provider) is still publicly posting Active Directory credentials for a bank. Yes, in some cases, the exposure is on their first day.

The pattern is familiar: secrets are leaking through repositories, workspaces, Docker containers—anywhere developers share code or configurations. Now, we wonder—how many teenagers, amidst homework and distractions, are smarter than this billion-dollar industry?

Our recent reckless adventure involved searching platforms like JSONFormatter and CodeBeautify, tools used by developers to tidy code. Sadly, this led us to a dataset of over 80,000 saved JSON snippets, revealing a shocking amount of secrets—credentials, keys, and sensitive data.

What did we find?
– Active Directory logins
– Repository keys
– Database passwords
– LDAP settings
– Cloud access keys
– FTP logins
– CICD pipeline secrets
– Full API request logs
– Private cryptographic keys
– Payment gateway credentials
– RTSP stream info
– JWT tokens
– Helpdesk and meeting room API keys
– SSH session recordings
– Personally Identifiable Information (PII), including everything imaginable

And all these secrets come from organizations spanning critical infrastructure, government, finance, healthcare, education, tech, retail, aerospace, telecoms, and beyond. The scale and variety are terrifying.

This proves anyone, even with limited technical skills, can access sensitive data if they’re careless. Fortunately, quantum computing might help, but for now, secure practices remain essential.

In conclusion, do not publish credentials or sensitive data on public or insecure platforms. The risks are too high, and the potential damage too great.

FAQs

Q: Why are passwords and sensitive data still being stored in unsecured online tools?
A: Many developers and organizations underestimate the security risks or are unaware of the exposure caused by using insecure platforms.

Q: What should I do to keep my credentials safe?
A: Store all sensitive information in secure, encrypted vaults; avoid sharing secrets on public platforms; and follow best security practices.

Q: How can organizations prevent leaks like this?
A: Implement strict access controls, use automated secrets management tools, regularly audit shared data, and train staff on cybersecurity awareness.

Q: Is the threat of quantum computing a realistic concern now?
A: Currently, quantum computing remains in developmental stages, but it underscores the importance of strong cryptography and secure data handling today.