The JSONFormatter & CodeBeautify Data Leak: What Developers Need to Know

In November 2025, security researchers at watchTowr Labs revealed that JSONFormatter.org and CodeBeautify.org had been quietly storing user-submitted data on their servers for years — and that data was accessible. Over 80,000 files totalling 5 GB were exposed, containing passwords, API keys, SSH private keys, OAuth tokens, and Active Directory credentials from organisations across banking, healthcare, government, and telecoms.

The incident was covered by The Hacker News, BleepingComputer, and Help Net Security. Active exploits against the exposed credentials appeared within 48 hours of publication.

This article explains what happened, why it happened architecturally, and how to verify whether any online tool is safe before you paste anything sensitive into it.

What Was Exposed

According to the watchTowr Labs investigation, the exposed data included:

Passwords and credentials pasted into the formatter (database connection strings, admin passwords)
API keys and secrets (AWS access keys, Stripe keys, SendGrid API tokens, GitHub tokens)
SSH private keys
OAuth 2.0 access tokens and refresh tokens
Active Directory credentials from enterprise environments
Cloud provider credentials (AWS, GCP, Azure service account keys)
JWT tokens containing user identity and session data

These are not theoretical risks. Developers routinely paste real configuration files, environment variables, and API responses into formatters to debug them. A .env file formatted once in 2022 could still be sitting in a server database in 2025.

Why It Happened: The Server-Side Architecture Problem

The root cause is architectural. Both JSONFormatter.org and CodeBeautify.org process user input on their servers. When you click "Format", your data is sent via an HTTP request to their backend, processed, and returned. Some features — save-and-share, history, collaboration — required storing that data persistently in a database.

This is the data flow for a server-side formatter:

Your browser → [POST /format] → Their server → Database
                                      ↓
                              Formatted JSON
                                      ↓
               Their server → [Response] → Your browser

The data reached their server. Once it's there, its security depends entirely on their database access controls, retention policies, and whether their infrastructure gets compromised. In this case, years of user data accumulated with insufficient access controls, and the exposure was discovered from the outside — not disclosed by the sites themselves.

This is the data flow for a client-side formatter:

Your browser → JavaScript formats the JSON locally
                        ↓
               Formatted JSON displayed
               (no network request made)

There is no server request. The data never leaves your device. Even if the tool's domain were compromised, an attacker would find nothing — there is no data to steal because none was ever sent.

How to Verify Any Online Tool in 10 Seconds

You don't have to take a tool's word for it. You can verify the architecture yourself using your browser's built-in developer tools:

Open the tool in your browser.
Press F12 (Windows/Linux) or Cmd+Option+I (macOS) to open DevTools.
Click the Network tab.
Click the Clear button (⊘) to remove existing entries.
Paste some text into the tool and trigger its action (Format, Encode, Decode, etc.).
Watch the Network tab.

Safe (client-side): No new entries appear in the Network tab. All processing happened locally in your browser's JavaScript engine.

Unsafe (server-side): A new request appears — typically a POST or GET — and if you click it, you'll see your pasted data in the request payload.

This test is definitive. It doesn't require trusting any privacy policy or marketing claim.

The Broader Pattern: Why This Keeps Happening

The JSONFormatter and CodeBeautify leak is not unique. Server-side developer tools have a structural incentive problem:

Storage is cheap. Keeping user data costs almost nothing, so it accumulates indefinitely.
There's no deletion pressure. Users don't know their data is stored, so they don't request deletion.
Security audits are rare. Small tools operated by individuals or small teams rarely undergo professional security audits.
The attack surface grows silently. A tool that processed 1 million formatting requests over five years has a database containing data from 1 million sessions — most of which the users have forgotten about.

The only architectural defense is to not process user data server-side in the first place. If the data is never sent to a server, it cannot be stored, breached, or subpoenaed.

What to Use Instead

For the tools that JSONFormatter and CodeBeautify provided, there are fully client-side alternatives that pass the Network tab test:

Tool	Client-side alternative
JSON Formatter / Beautifier	devessentials.dev/json-formatter
JSON Validator	devessentials.dev/json-validator
JSON Repair	devessentials.dev/json-repair
Base64 Encoder / Decoder	devessentials.dev/base64
URL Encoder / Decoder	devessentials.dev/url-encoder
JWT Decoder	devessentials.dev/jwt-decoder
Hash Generator (MD5, SHA-256)	devessentials.dev/hash-generator
UUID Generator	devessentials.dev/uuid-generator
JSON to YAML / YAML to JSON	devessentials.dev/json-to-yaml
Diff Checker	devessentials.dev/diff-checker
SQL Formatter	devessentials.dev/sql-formatter
Password Generator	devessentials.dev/password-generator

Every tool on DevEssentials runs entirely in your browser. There is no backend — no server receives your input, no database stores it. You can verify this yourself with the Network tab test above. Once the page has loaded, the tools work completely offline.

If You Used JSONFormatter or CodeBeautify

If you pasted sensitive data into either site — configuration files, environment variables, API responses containing keys, JWTs, database connection strings — treat those credentials as compromised:

Rotate all API keys that appeared in anything you formatted on either site.
Revoke OAuth tokens that may have been in formatted JSON payloads.
Regenerate SSH keys if any private keys were pasted.
Change passwords visible in any formatted configuration files.
Audit your cloud provider (AWS, GCP, Azure) for any activity from credentials that could have been exposed.

Active exploits against credentials from the leaked data were reported within 48 hours of the watchTowr Labs disclosure. If the data was in the leak, it should be considered already tested by attackers.

Need a safe JSON formatter that never sends your data anywhere? Open the DevEssentials JSON Formatter →

Frequently Asked Questions

Was my data exposed in the JSONFormatter or CodeBeautify leak?▾

If you used the save, share, or history features on JSONFormatter.org or CodeBeautify.org before November 2025, there is a real risk that whatever you pasted was stored server-side and may have been accessible. The watchTowr Labs investigation found over 80,000 files totalling 5 GB of data — including passwords, API keys, SSH private keys, OAuth tokens, and Active Directory credentials from organisations in banking, healthcare, government, and telecoms.

If you pasted anything sensitive on either site, rotate those credentials immediately. Treat them as compromised.

How do I know if an online tool is client-side or server-side?▾

Open your browser's Developer Tools (F12 or Cmd+Option+I), go to the Network tab, and clear it. Then paste some text into the tool and trigger its action (format, encode, decode, etc.). Watch the Network tab for any outbound requests.

A genuine client-side tool shows zero network requests when you use it — all processing happens in your browser via JavaScript. A server-side tool will show a POST or GET request containing your data going to a server. This test takes 10 seconds and works on any tool.

Are all online developer tools dangerous?▾

No — the risk is specific to server-side tools that process or store your input on their servers. Client-side tools that run entirely in your browser with JavaScript are safe for sensitive data, because the data never leaves your device.

The problem is that most tools look identical whether they're client-side or server-side. You can't tell from the UI. The Network tab test (above) is the only reliable way to verify. Alternatively, use tools that explicitly document their architecture and whose code is open source.

Why would a JSON formatter need to store my data on a server?▾

For basic formatting, it doesn't need to. JavaScript can format JSON entirely client-side in milliseconds.

Server-side processing is typically introduced for features like save-and-share (persistent URLs), history/revision tracking, collaboration, or server-side validation with heavy libraries. The problem is that many tools added these features years ago, stored the data indefinitely, and never properly secured or purged it. The watchTowr Labs investigation found years-old data still accessible.

The architectural decision to process on the server isn't inherently malicious — but it creates a data retention risk that compounds over time.

What should I use instead of JSONFormatter.org and CodeBeautify.org?▾

For JSON formatting and validation: DevEssentials JSON Formatter (devessentials.dev/json-formatter) processes everything in your browser with zero server requests. Other client-side alternatives include transform.tools for format conversion tasks.

For any tool you use with sensitive data, apply the Network tab test first. The architectural principle is simple: if the tool works offline once the page has loaded, your data stays in your browser.