Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/CyberSecurity News/ClickUp Hardcoded API Key Exposes Fortune 500 Emails
CyberSecurity News

ClickUp Hardcoded API Key Exposes Fortune 500 Emails

Key Takeaways A hardcoded third-party API key in ClickUp’s public JavaScript file exposed nearly a thousand corporate and government email addresses. The exposed data includes employees from...

Sarah simpson
Sarah simpson
April 27, 2026 4 Min Read
44 0

Key Takeaways

  • A hardcoded third-party API key in ClickUp’s public JavaScript file exposed nearly a thousand corporate and government email addresses.
  • The exposed data includes employees from major cybersecurity firms, Fortune 500 companies, and government entities across multiple countries.
  • The vulnerability, reported in January 2025, remained unpatched with the API key still active as of April 2026.
  • The exposure creates a significant risk for targeted phishing, social engineering, and competitive intelligence gathering.

A critical security lapse involving a hardcoded third-party API key within a publicly accessible JavaScript file on ClickUp’s homepage has led to the exposure of nearly a thousand corporate and government email addresses. The vulnerability, initially reported in January 2025, remained unaddressed for over 15 months, with the API key still active as of April 2026, according to a security researcher.

Table Of Content

  • Key Takeaways
  • Hardcoded API Key Exposed
  • Organizations and Individuals Affected
  • Delayed Remediation
  • What You Should Do

The incident impacts employees from a diverse range of high-profile organizations, including cybersecurity giants like Fortinet and Tenable, major retailers such as Home Depot, and government workers from various U.S. states and international entities.

Hardcoded API Key Exposed

The discovery was made by a security researcher who, while visiting the ClickUp homepage, simply inspected the page source. This revealed an API key directly embedded in a JavaScript file that loaded without any user authentication. Utilizing this key, a single unauthenticated GET request was sufficient to retrieve a trove of sensitive data.

The researcher, identified as “impulsive” on Twitter, detailed the findings, stating, “i went to https://clickup.com. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request. got back 959 email addresses and 3,165 internal feature flags.” This operation required no specialized tools, bypasses, or credentials, highlighting the severe nature of the misconfiguration. The full scope of the findings was shared via a Twitter post on April 27, 2026.

Organizations and Individuals Affected

The leaked information encompasses a wide array of high-value targets. Among the exposed are employees from Home Depot, Fortinet, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and the law firm Akin Gump. Government employees from Wyoming, Arkansas, North Carolina, Montana, Queensland (Australia), and New Zealand were also impacted, alongside a Microsoft contractor and 71 ClickUp employees.

The exposure of email addresses from organizations like Fortinet, a leading manufacturer of enterprise firewalls, and Tenable, known for its Nessus vulnerability scanner, is particularly concerning. These companies are integral to global cybersecurity infrastructure. The availability of their employees’ email addresses creates a direct and fertile ground for highly targeted phishing, credential stuffing, and social engineering attacks, potentially compromising the very entities responsible for defending critical systems.

Beyond email addresses, the leak also included 3,165 internal feature flags. These flags could reveal details about ClickUp’s product development, upcoming beta features, and A/B testing configurations. Such information could be invaluable for competitive intelligence gathering or for facilitating targeted abuse of the platform.

Delayed Remediation

The vulnerability was initially reported to ClickUp through the HackerOne bug bounty platform on January 17, 2025. Despite this early notification, the API key remained unrotated and active for over 15 months. The researcher confirmed the data was still accessible and live just minutes before the public disclosure in late April 2026, indicating a persistent and unpatched vulnerability.

This incident is not a zero-day but rather a known security flaw that continued to expose sensitive enterprise Personally Identifiable Information (PII) for more than a year. ClickUp, a company that has raised $535 million at a $4 billion valuation and claims 85% of the Fortune 500 as users, is expected to maintain robust security practices. The presence of hardcoded secrets in client-side JavaScript is a well-documented and preventable vulnerability, making the prolonged exposure difficult to reconcile with the company’s stated security posture and market position.

As of the time of publication, ClickUp has not publicly acknowledged the ongoing data exposure.

What You Should Do

  • Implement Multi-Factor Authentication (MFA): Ensure all accounts, especially those associated with exposed email addresses, have strong MFA enabled to mitigate credential stuffing risks.
  • Increase Phishing Awareness: Educate employees on the heightened risk of targeted phishing and social engineering attacks. Emphasize vigilance against unusual emails, even those seemingly from known contacts or organizations.
  • Monitor for Suspicious Activity: Organizations whose employee emails were exposed should increase monitoring for unusual login attempts, account activity, and data access.
  • Review Third-Party Integrations: Conduct a thorough audit of all third-party API keys and secrets within your organization’s applications, especially those embedded in client-side code, to ensure they are not hardcoded or publicly accessible.
  • Rotate API Keys Regularly: Establish and enforce a policy for regular rotation of all API keys, particularly those with access to sensitive data, to minimize the impact of potential leaks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityHackerPatchphishingSecurityVulnerabilityzero-day

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Gemini CLI flaw lets attackers run code remotely

Next Post

Critical Notepad++ Vulnerability Lets Attackers Crash App, Leak Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us