ClickUp API Key Leak Exposed Enterprise Emails and Internal Feature Flags
ClickUp left a hardcoded third-party API key in a publicly accessible JavaScript file on its homepage, exposing 959 email addresses and 3,165 internal feature flags through unauthenticated requests. Reports said the issue was disclosed through HackerOne on January 17, 2025, yet the key allegedly remained active and unrotated into late April 2026. The exposed email addresses reportedly belonged to staff at major enterprises including Fortinet, Home Depot, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and Akin Gump, as well as government personnel in multiple U.S. states, Queensland, and New Zealand.
Researchers said no credentials, bypass, or advanced tooling were needed to retrieve the data because the key was embedded in client-side code loaded before authentication. In addition to personal contact information, the leaked feature flags revealed internal product testing, beta features, A/B experiments, and possible roadmap details, creating risks that include targeted phishing, social engineering, credential-stuffing attempts, competitive intelligence collection, and potential platform abuse. ClickUp had not publicly acknowledged the exposure at the time of reporting.
Timeline
Apr 27, 2026
Have I Been Pwned confirms Pitney Bowes breach details
Have I Been Pwned confirmed the Pitney Bowes breach and said the leaked dataset contained 8.2 million unique email addresses, plus names, phone numbers, physical addresses, and some employee job-title records. This public confirmation established the scale and data types exposed in the incident.
Apr 27, 2026
ClickUp exposure remains active for over a year
The exposed ClickUp API key remained active and unrotated through late April 2026, continuing to expose 959 email addresses and 3,165 internal feature flags without authentication. Reports said ClickUp had not publicly acknowledged the issue at the time of publication.
Apr 1, 2026
ShinyHunters claims Pitney Bowes breach in extortion campaign
In April 2026, ShinyHunters claimed to have obtained Pitney Bowes data as part of a broader pay-or-leak extortion campaign targeting multiple organizations. According to the reports, negotiations allegedly failed and the group then publicly released the stolen data.
Jan 17, 2025
Researcher reports ClickUp hardcoded API key via HackerOne
A researcher disclosed to ClickUp via HackerOne that a hardcoded third-party API key in a publicly accessible JavaScript file allowed unauthenticated access to sensitive backend data. The issue was reportedly submitted on January 17, 2025.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Researchers Find 1,748 Valid API Keys Exposed Across Public Websites
Researchers from Stanford University, the University of California, Davis, and TU Delft found **1,748 valid API credentials** exposed across roughly **10,000 public webpages** after analyzing about **10 million websites**, revealing a broad secret-leakage problem outside traditional code repositories. The credentials, identified with TruffleHog and detailed in the study *Keys on Doormats: Exposed API Credentials on the Web*, provided access to services including **AWS**, **GitHub**, **Stripe**, and **OpenAI**. The exposed secrets were tied to multinational corporations, critical infrastructure operators, government agencies, and at least one global bank. Most of the exposed credentials were embedded in **JavaScript** resources, often inside bundled files generated by tools such as Webpack, creating direct paths into cloud infrastructure, payment systems, and software repositories. Researchers said AWS keys made up more than **16%** of verified exposures, and cited cases including cloud credentials linked to a global bank’s core infrastructure and firmware repository credentials associated with drones and remote-controlled devices, raising the risk of malicious firmware updates. After responsible disclosure, the number of exposed credentials dropped by about half within two weeks, but the study found such secrets often remain publicly accessible for an average of **12 months** and sometimes for years.
1 months ago
Dark Web Leak Claims Target Multiple Organizations, Including Salesfloor and Republic
Dark web monitoring reports surfaced multiple **alleged data leaks** affecting unrelated organizations, with several listings offering databases for sale or direct download. Reports claim **Republic (republic.com)** user data (~4.94M users) was listed for sale for **$2,400**, allegedly including names, emails, physical addresses, and phone numbers. Separate dark web listings also alleged exposure of **rueducommerce.fr** user data (linked in reporting to **Carrefour**) totaling ~2.17M records with similar PII, as well as alleged leaks involving **Dunzo** (~3.4M records) and **Menulux** (~93K records). Additional reporting highlighted a historical breach dataset for the **YouHack** forum (2013; ~107K users) containing usernames, emails, passwords, IPs, posts, and private messages, and a smaller exposure tied to **buylottoonline.com** (~38.5K email records). One of the most consequential claims involved **Salesfloor / People Powered E-Commerce (salesfloor.net)**, attributed in reporting to **LAPSUS$**, alleging theft of roughly **4 TB uncompressed** (1 TB compressed) data including **source code, logs, and customer information**, with potential downstream impact to retail brands using the platform. Separately from the dark-web-leak theme, other items in the set describe distinct vulnerability-driven risks rather than breach listings: **Zoom Node MMRs** command injection (**CVE-2026-22844**, CVSS 9.9) enabling arbitrary code execution in certain hybrid meeting deployments; **SmarterMail** auth bypass (**CVE-2026-23760**) enabling admin password reset via `force-reset-password` and potential RCE; **Vite** improper access control (**CVE-2025-31125**) enabling sensitive file exposure via query parameters such as `?inline&import` / `?raw&import` (noted as added to CISA KEV); and **Appsmith** password-reset token exposure (**CVE-2026-22794**) enabling account takeover, with internet-exposed instances identified via Shodan and remediation via upgrade to *Appsmith* 1.93. These vulnerability reports are separate from the dark web leak claims and should be tracked as independent patching priorities rather than as part of a single breach event.
1 months ago
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
1 months ago