“Recent Links” feature used by online formatters exposes private data

Threat summary

On November 25, 2025, researchers reported on a recently uncovered security gap in popular online code beautifier tools and their “Recent Links” feature. The feature, intended to make saved snippets easily accessible, has inadvertently exposed sensitive credentials, private keys, and configuration data from banks, government agencies, and technology companies.

Online code beautification tools are web-based utilities that automatically format and “beautify” source code to make it more readable, consistent, and easier to maintain. When developers paste code into these beautifier sites and click “save,” the platform generates a public URL and lists it under a “Recent Links” page. These pages are unauthenticated and follow predictable URL structures, making it easy to scrape these links using automated crawlers and extract sensitive data through exposed application programming interface (API) endpoints.

The exposed information caused by this security gap included Active Directory credentials, database connection strings, cloud service keys, API tokens, CI/CD secrets, repository tokens, and even personally identifiable information.

Researchers tested the exposure by planting fake Amazon Web Services keys. These were accessed 48 hours after upload, even after the links had expired, confirming that attackers are actively scanning these platforms.

The exposed data reportedly impacts organizations across critical sectors including government, banking, insurance, aerospace, healthcare, education, telecommunications, and cybersecurity.

Analyst insight

This is not a direct breach but rather exploitation of insecure developer practices combined with weak platform protections. These tools are popular because they provide instant results without requiring installation, making them convenient for quick fixes or sharing formatted snippets.

While useful, these tools can pose significant security risks if sensitive information such as credentials, API keys, or configuration files is pasted into them. Some beautifiers store or publicly display saved snippets through features like “Recent Links,” which can inadvertently expose private data to attackers. For enterprises, the safer alternative is to rely on integrated formatting tools within local development environments, which provide the same benefits without the risk of leaking sensitive information online.

This incident highlights the risks of shadow IT tools and the dangers of developers pasting sensitive code into unvetted online platforms.

Such incidents could be prevented with a combination of policy, awareness, and technical controls. Clear guidelines are needed to prohibit the use of unvetted online tools for handling sensitive code or credentials, while promoting approved internal alternatives such as enterprise code review platforms or secure pastebins. Developer training should emphasize the risks of pasting secrets into online utilities and reinforce secure coding practices. Centralized secrets management solutions should be enforced, with automated rotation and monitoring for leakage using DLP tools and threat intelligence feeds.

Field Effect MDR detects attackers abusing compromised credentials via continuous monitoring, behavioral analytics, and automated response. Even if credentials are technically valid, Field Effect MDR monitors how they are used—flagging logins from unusual locations, devices, or times, and detecting actions that fall outside a legitimate user’s normal behavior.

Field Effect further enhances protection with deep and dark web monitoring and external threat feeds to identify when an organization’s credentials have been exposed.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up