Thousands of widely-used public workspaces are leaking data

News
By
published

Following disclosure, Postman implemented additional safeguards

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Many organizations using Postman workspaces are putting their data at risk
  • Researchers found tens of thousands of publicly accessible workspaces leaking data
  • The data leaked is includes sensitive information about third-party API

Many organizations using Postman workspaces are putting their data, employees, customers, and partners at risk, due to various misconfigurations, experts have warned.

CloudSEK’s Triad team uncovered more than 30,000 publicly accessible Postman workspaces leaking sensitive information.

For those unfamiliar with Postman, it is a collaborative platform for API development, often used as a public workspace for creating, testing, sharing, and managing APIs. It provides tools for developers to streamline the API lifecycle, from design and testing to documentation and deployment.

Widespread misconfigurations

CloudSEK said these tens of thousands of publicly accessible workspaces were leaking sensitive information about third-party API, including access tokens, refresh tokens, and third-party API keys. Sensitive information uncovered includes administrator credentials, payment processing API keys, and access to internal systems.

Companies of all shapes and sizes were leaking data, from SMBs to large enterprises, the researchers further said. Some owners of the leaked API keys and access tokens are still unidentified, since inadequate permissions and API limitation prevented researchers from identifying them.

Major platforms impacted include GitHub (5,924 exposures), Slack (5,552), and Salesforce (4,206), while most exposed sectors include healthcare, athletic apparel, and financial services.

The misconfigurations are widespread, CloudSEK says, adding that organizations are exposed to “significant security risks”, which includes “severe financial and reputational damage.”

“Postman workspaces often contain sensitive data, including API keys, tokens, credentials, and documentation,” the researchers said. “When mishandled, this data becomes a treasure trove for malicious actors capable of exploiting vulnerabilities for financial fraud, data breaches, and reputational damage.”

CloudSEK said it reported most of the incidents to its respective organizations, but did not discuss how many responded, and how. It did say that Postman implemented new security measures, which include proactive secret detection and user notifications when sensitive data is found in public workspaces.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Stress
Time tracker tool spilled details on remote workers - millions of screenshots leaked
API
Businesses are being plagued by API security risks - with nearly 99% affected
Data leak
AWS customers hit by major cyberattack which then stored stolen credentials in plain sight
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Thousands of servers potentially at risk from Prometheus security flaw
Data leak
AI development service Builder.ai potentially exposed over 1TB of user data
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
A shot showing the flags of New Zealand and South Africa

New Zealand vs South Africa live stream: How to watch ICC Champions Trophy semi-final online (available for free)
See more latest
Most Popular
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Maserati MC20 Autonomous
This AI-driven Maserati just hit 197.7mph without a human behind the wheel
AI data center
Is Microsoft hesitating on AI? Days after CEO said it would be upping capacity, analyst claims tech giant has actually cancelled data center leases