ClickUp Data Leak Exposes Enterprise Emails for Over a Year
A hardcoded API key embedded in ClickUp’s public website has quietly exposed hundreds of corporate and government email addresses for more than a year.
The flaw, first reported in early 2025, remained active as of April 2026 — allowing anyone to access sensitive data with a simple request and no authentication.
“I went to http://clickup[.]com, opened the page source, and found a hardcoded API key in the javascript. I sent one GET request and got back 959 email addresses and 3,165 internal feature flags,” security researcher Impulsive said in an X post.
ClickUp data exposure explained
The exposure originated from ClickUp’s web application, where a publicly accessible JavaScript file loaded before authentication contained a hard-coded third-party API key.
Because client-side code is inherently visible, the key could be easily extracted and used to query a backend endpoint via an unauthenticated GET request. This lack of access controls exposed a dataset containing 959 email addresses and 3,165 internal feature flags, affecting employees at large organizations and government entities across multiple regions.
Beyond revealing personally identifiable information (PII), the feature flags provide insight into internal development processes such as beta features, A/B testing, and product roadmap signals. This information could be leveraged for targeted attacks, competitive intelligence, or platform abuse.
Reported in January 2025 and still unresolved at the time of publication, the vulnerability has heightened the risk of targeted phishing, credential stuffing, and other social engineering attacks.
Reducing SaaS security risks
In light of the ClickUp incident, organizations should adopt a more proactive approach to SaaS security, particularly regarding credentials and API exposure.
Hardcoded keys, limited access controls, and a lack of visibility into third-party integrations can create unnecessary risk and extend exposure windows.
- Enforce strong authentication and access controls, including phishing-resistant MFA, conditional access policies, and device trust requirements across all SaaS platforms.
- Monitor for signs of compromise by auditing access logs, tracking domain exposure in threat intelligence feeds, and detecting anomalous login or API activity.
- Strengthen email and phishing defenses with DMARC, DKIM, SPF, and email security tools to reduce the risk of targeted social engineering attacks.
- Limit exposure and access by applying least privilege, restricting sensitive workflows in third-party tools, and minimizing publicly accessible user or directory data.
- Conduct regular third-party risk assessments and SaaS security posture reviews to identify misconfigurations, excessive permissions, and delayed remediation.
- Implement strong credential and API key hygiene by rotating secrets regularly, appropriately scoping tokens, and avoiding hardcoded credentials in client-side code.
- Test incident response plans and use attack simulation tools with scenarios around hardcoded keys and targeted phishing attacks.
This incident highlights a preventable issue — hardcoded credentials in client-side code — and reinforces the fact that even large organizations can overlook basic security controls.
It also illustrates how a single misconfiguration, when combined with limited access restrictions and delayed remediation, can lead to prolonged exposure. The implications extend beyond ClickUp, as many organizations rely heavily on third-party SaaS platforms to support core operations.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
About Author
