ClickUp Hardcoded API Key Exposes Fortune 500 Emails
Key Takeaways A hardcoded third-party API key in ClickUp’s public JavaScript file exposed nearly a thousand corporate and government email addresses. The exposed data includes employees from...
Key Takeaways
- A hardcoded third-party API key in ClickUp’s public JavaScript file exposed nearly a thousand corporate and government email addresses.
- The exposed data includes employees from major cybersecurity firms, Fortune 500 companies, and government entities across multiple countries.
- The vulnerability, reported in January 2025, remained unpatched with the API key still active as of April 2026.
- The exposure creates a significant risk for targeted phishing, social engineering, and competitive intelligence gathering.
A critical security lapse involving a hardcoded third-party API key within a publicly accessible JavaScript file on ClickUp’s homepage has led to the exposure of nearly a thousand corporate and government email addresses. The vulnerability, initially reported in January 2025, remained unaddressed for over 15 months, with the API key still active as of April 2026, according to a security researcher.
Table Of Content
The incident impacts employees from a diverse range of high-profile organizations, including cybersecurity giants like Fortinet and Tenable, major retailers such as Home Depot, and government workers from various U.S. states and international entities.
Hardcoded API Key Exposed
The discovery was made by a security researcher who, while visiting the ClickUp homepage, simply inspected the page source. This revealed an API key directly embedded in a JavaScript file that loaded without any user authentication. Utilizing this key, a single unauthenticated GET request was sufficient to retrieve a trove of sensitive data.
The researcher, identified as “impulsive” on Twitter, detailed the findings, stating, “i went to https://clickup.com. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request. got back 959 email addresses and 3,165 internal feature flags.” This operation required no specialized tools, bypasses, or credentials, highlighting the severe nature of the misconfiguration. The full scope of the findings was shared via a Twitter post on April 27, 2026.
Organizations and Individuals Affected
The leaked information encompasses a wide array of high-value targets. Among the exposed are employees from Home Depot, Fortinet, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and the law firm Akin Gump. Government employees from Wyoming, Arkansas, North Carolina, Montana, Queensland (Australia), and New Zealand were also impacted, alongside a Microsoft contractor and 71 ClickUp employees.
The exposure of email addresses from organizations like Fortinet, a leading manufacturer of enterprise firewalls, and Tenable, known for its Nessus vulnerability scanner, is particularly concerning. These companies are integral to global cybersecurity infrastructure. The availability of their employees’ email addresses creates a direct and fertile ground for highly targeted phishing, credential stuffing, and social engineering attacks, potentially compromising the very entities responsible for defending critical systems.
Beyond email addresses, the leak also included 3,165 internal feature flags. These flags could reveal details about ClickUp’s product development, upcoming beta features, and A/B testing configurations. Such information could be invaluable for competitive intelligence gathering or for facilitating targeted abuse of the platform.
Delayed Remediation
The vulnerability was initially reported to ClickUp through the HackerOne bug bounty platform on January 17, 2025. Despite this early notification, the API key remained unrotated and active for over 15 months. The researcher confirmed the data was still accessible and live just minutes before the public disclosure in late April 2026, indicating a persistent and unpatched vulnerability.
This incident is not a zero-day but rather a known security flaw that continued to expose sensitive enterprise Personally Identifiable Information (PII) for more than a year. ClickUp, a company that has raised $535 million at a $4 billion valuation and claims 85% of the Fortune 500 as users, is expected to maintain robust security practices. The presence of hardcoded secrets in client-side JavaScript is a well-documented and preventable vulnerability, making the prolonged exposure difficult to reconcile with the company’s stated security posture and market position.
As of the time of publication, ClickUp has not publicly acknowledged the ongoing data exposure.
What You Should Do
- Implement Multi-Factor Authentication (MFA): Ensure all accounts, especially those associated with exposed email addresses, have strong MFA enabled to mitigate credential stuffing risks.
- Increase Phishing Awareness: Educate employees on the heightened risk of targeted phishing and social engineering attacks. Emphasize vigilance against unusual emails, even those seemingly from known contacts or organizations.
- Monitor for Suspicious Activity: Organizations whose employee emails were exposed should increase monitoring for unusual login attempts, account activity, and data access.
- Review Third-Party Integrations: Conduct a thorough audit of all third-party API keys and secrets within your organization’s applications, especially those embedded in client-side code, to ensure they are not hardcoded or publicly accessible.
- Rotate API Keys Regularly: Establish and enforce a policy for regular rotation of all API keys, particularly those with access to sensitive data, to minimize the impact of potential leaks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.