Cybersecurity Today
Episode: The Hidden Danger of Storing Secrets Online
Host: Jim Love
Guest: Jake Knott, Principal Security Researcher, Watchtower
Date: December 13, 2025
Episode Overview
In this episode, Jim Love interviews Jake Knott from Watchtower about a rarely discussed, yet growing threat: the accidental exposure of sensitive business secrets—such as passwords, credentials, and even customer data—through seemingly harmless online tools like code formatters and JSON beautifiers. The conversation dives into real-world discoveries of exposed secrets, the behavioral patterns behind these leaks, and practical recommendations for organizations looking to safeguard their critical data.
Key Discussion Points and Insights
1. The Shocking Discovery
- Jim Love recounts being “gobsmacked” by a researcher’s claim of over 80,000 records and 5GB of annotated data containing secrets from major organizations, all easily accessible via online tools ([01:40]).
- Exposed data included:
- Usernames, passwords, SSL certificates, API keys, configuration files.
- Highly sensitive "Know Your Customer" (KYC) data for a major financial institution.
- Internal scripts, endpoint documentation, and default credentials from consulting and cybersecurity firms.
"I have to tell you... I thought after all these years I'd lost my capacity for being shocked... I was absolutely gobsmacked when I got an email from a researcher... 80,000 plus downloaded submissions, five gigabytes... containing thousands of secrets."
– Jim Love, [01:40]
2. Meet the Researcher: Jake Knott and Watchtower
- Watchtower is a Series A startup focusing on preemptive exposure management—finding and alerting organizations to exposures before attackers exploit them ([07:42]).
- Jake describes his job: "I spend my days looking at organizations, trying to figure out how are attackers breaking in..." ([07:47]).
3. How Secrets Get Leaked: The Path from Convenience to Catastrophe
- Victims of Convenience: Both host and guest stress that most leaks are unintentional, stemming from attempts to quickly share or prettify data. ([00:22], [26:54]).
- Developers use online tools like JSON Formatter and Code Beautify to reformat code or data for readability, often pasting sensitive scripts or blobs and using built-in "share link" features.
- By Design Exposure: These tools commonly have "recent links" or "community libraries" openly displaying any data saved, accessible to anyone—including attackers ([13:12]).
"Many users using these tools probably didn't realize... when they were generating a link to send to a colleague... these were inadvertently being exposed and anybody visiting the site could view them."
– Jake Knott, [14:02]
- Unlike high-profile repositories (e.g., GitHub, Docker Hub) which are monitored, code formatters and similar tools have received little scrutiny, making them an overlooked risk ([10:29], [12:26]).
4. What Was Discovered?
- Jake and his team found virtually every type of secret or credential:
- Active Directory credentials, cloud environment keys, payment gateway secrets, database credentials.
- “What didn’t we find is the question.” ([11:23])
- The most shocking: a major bank unknowingly exposed detailed customer PII in code blobs ([16:26]).
- Example: MITRE (a prominent U.S. R&D agency) credentials found due to a university student’s inadvertently shared access, highlighting vulnerabilities via trusted third parties ([19:40]).
"MITRE definitely stood out to us... After digging into the data we found exposed, we actually determined it was a university student at a well known US college who had access to shared tooling within MITRE..."
– Jake Knott, [19:40]
5. Incident Response and Responsible Disclosure
- Jake and his team notified national and regional CERTs—including the UK, Norway, Greece, and Canada—and affected organizations ([20:52]).
- Responses varied: some orgs reacted quickly and fixed issues, while others routed reports to slow-moving bug bounty systems or did not respond at all ([22:54]).
"Some of the organizations, incredibly responsive, reaching out immediately, getting the credentials rotated... But many others we didn't get a response."
– Jake Knott, [22:54]
6. Attackers Are Already There
- To test whether attackers monitor these sites, Jake's team planted “canary credentials” (bait credentials) ([23:30]).
- Within 48 hours, even expired credentials were attempted in real-world attacks, proving active malicious monitoring of these resources ([24:55]).
"We published canary credentials... and 48 hours after... we had someone attempt to use them, which to us indicates somebody else was actively scraping and looking at what are people setting on these platforms."
– Jake Knott, [24:55]
7. To Disclose or Not to Disclose?
- Jake wrestled with the ethics of “going public,” but concluded that “nobody benefits from commoditizing access to these tools if it’s just between research orgs and attackers”—wider awareness was necessary to drive real change ([25:13]).
8. Underlying Problems: Human Behavior and Workflow Pressures
- Leaks frequently result from:
- Habit (“this is the way it’s always been done”).
- Productivity pressures—devs seeking the fastest solution, sometimes at the expense of security ([26:54], [27:23]).
9. Best Practices and Defensive Recommendations
- Education: Internal training on what types of data never belong in public tools.
- Best Practice Guides: Document and regularly remind teams of secure sharing protocols.
- Technical Controls:
- Use credential vaults.
- Employ “just in time” credentials—ephemeral access that limits window of risk.
- Implement automated detection tools for secrets in all external and cloud channels.
"Perhaps we are securely storing our credentials and passwords in vaults. Perhaps we are provisioning just in time credentials so that when they're leaked there's no impact..."
– Jake Knott, [31:52]
10. The Ongoing Threat
- Jake is convinced accidental data exposures will increase as more tooling and automation is adopted—especially as productivity and speed are prioritized ([35:31]).
Memorable Quotes & Moments
- On the root cause:
"Victims of convenience... I suspect the people accidentally leaking these secrets is not intentional... they're just doing it innocently to get their work formatted." — Jake Knott ([26:54])
- On the horror of discovery:
"Did you like do holy shit, what, did you phone somebody? What did you do?" — Jim Love ([18:22])
- On disclosure ethics:
“I think nobody benefits from commoditizing access… when we have evidence attackers are already looking. By publicizing this research, we're bringing more attention to ensuring orgs understand the risk.” — Jake Knott ([25:13])
Key Timestamps
- 01:40: Jim's shocked reaction to initial discovery
- 07:42: Introduction to Watchtower and Jake Knott’s role
- 10:29: Why code formatting tools went unmonitored
- 13:12: How links are exposed “by design”
- 16:26: Example: Major bank leaks customer PII
- 19:40: Example: MITRE credentials, 3rd party pathway
- 20:52: Responsible disclosure and varied organizational responses
- 23:30: Canary credentials – proof of attacker activity
- 25:13: The ethics of public disclosure
- 26:54: Behavioral roots of accidental leaks
- 28:27: Best practice recommendations
- 31:52: Importance of controls for when— not if—exposures happen
Final Comments and Recommendations
Jake Knott predicts accidental data exposure is a trend that will only grow. The key, he says, is not chasing perfect prevention but building resilient, responsive processes—investing in detection, best practice education, and rapid incident response.
Jim wraps up with a call to action:
- On Monday morning, ask your teams “Are we using these tools? Are secrets being shared outside secure channels?”
- Don’t wait for a headline to hit—start the conversation and review internal workflows now.
"Let's get in there and find out what tools we have and what ability they have to store secrets and information we don't want others to get a hold of."
– Jim Love ([35:51])
Additional Resources
- Read the Watchtower Labs blog for technical details of the research (link in show notes).
- Run internal audits on cloud services, code repositories, and any online tooling for unintended public exposure.
- Train your team: Never post sensitive information into public or unknown online services, regardless of convenience.
For further information or to reach out, contact Jim Love at technewsday.com.