Crypto Security Meltdown: 80,000+ Password and Key Files Exposed in Massive Data Breach

Digital vaults spring leaks as sensitive crypto credentials flood the dark web

The Great Key Spill

Over 80,000 password files and cryptographic keys just hit the open market—and not the kind you want trading on any exchange. Private wallets, exchange credentials, and API keys now circulating among threat actors who probably understand blockchain better than your average Wall Street analyst.

Security Protocols Shattered

This isn't your grandma's password leak—we're talking about the digital equivalent of leaving the bank vault open with the security cameras unplugged. The exposed keys could give attackers direct access to cryptocurrency holdings, trading accounts, and decentralized finance protocols.

The Aftermath Calculus

While traditional finance worries about interest rates, crypto faces a more immediate threat: someone else spending your digital gold. Maybe this explains why some hedge funds still prefer paper ledgers—at least you can see when they're on fire.

JSON and CodeBeautify leak data from government, banks, and healthcare

According to the security firm, the leaked data flaw has yet to affect three platforms, including GitHub repositories, Postman workspaces, and DockerHub containers. However, it found five years of historical content from JSONFormatter and one year of historical content from CodeBeautify, totaling more than 5 gigabytes of enriched and annotated JSON material. 

“The popularity is so great that the sole developer behind these tools is fairly inspired – with a typical visit to any tool homepage triggering 500+ web requests pretty quickly to generate what we assume is some sweet, sweet affiliate marketing revenue,” the cybersecurity group explained.

watchTowr Labs said organizations from industries like national infrastructure, government agencies, major financial institutions, insurance companies, technology providers, retail firms, aerospace organizations, telecoms, hospitals, universities, travel businesses, and even cybersecurity vendors have all had their private information exposed.

“These tools are extremely popular, appearing NEAR the top of search results for terms like ‘JSON beautify’ and ‘best place to paste secrets’ (probably, unproven), used by organizations and administrators in both enterprise environments and for personal projects,” Security researcher Jake Knott wrote in the blog post.

watchTowr Labs listed several categories of sensitive data found within the exposed files like Active Directory credentials, code repository authentication keys, database access details, LDAP configuration information, cloud environment keys, FTP login credentials, CI/CD pipeline keys, private keys, and full API requests and responses with sensitive parameters.

Investigators also mentioned Jenkins secrets, encrypted configuration files belonging to a cybersecurity firm, Know Your Customer information from banks, and AWS credentials belonging to a major financial exchange that were connected to Splunk systems. 

watchTowr: Malicious actors are scraping the leaks

According to watchTowr Labs’ damage analysis, many of the leaked keys have been collected and tested by unknown parties. In an experiment, researchers uploaded fake AWS access keys to one of the formatting platforms, and in just under two days, malicious actors attempted to abuse the credentials.

“Mostly because someone is already exploiting it, and this is all really, really stupid,” Knott continued, “we don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.”

JSONFormatter and CodeBeautify temporarily disabled their save functionality in September, when the security flaw was brought to their attention. JSONFormatter it was “working on to make it better,” while CodeBeautify said it was implementing new “enhanced NSFW (Not SAFE For Work) content prevention measures.” 

Security issue in HashiCorp’s Vault Terraform Provider

Away from the leaked credentials, the San Francisco-based IBM company HashiCorp found a vulnerability that could allow attackers to bypass authentication in its Vault Terraform Provider. The firm provides developers, businesses, and security organizations with cloud-computing infrastructure and protection services.

Per the software company’s findings shared on Tuesday, the Vault Terraform flaw affects versions v4.2.0 through v5.4.0 from an insecure default configuration in the LDAP authentication method.

The issue arises because the “deny_null_bind” parameter is set to false instead of true when the provider configures Vault’s LDAP authentication backend. The parameter determines if the Vault rejects a wrong password or unauthenticated binds. 

If the connected LDAP server allows anonymous binds, attackers can authenticate and access accounts without any valid credentials.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.