Cybernews
ClickUp API Key Vulnerability Exposes 959 Emails from Fortune 500 Firms
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A security vulnerability in ClickUp has led to the exposure of 959 email addresses associated with major Fortune 500 companies and government agencies. The issue arises from a hardcoded Split.io SDK token in ClickUp’s production JavaScript bundle, which is automatically loaded when users access the platform. This vulnerability was first reported in January 2025 and has not been addressed as of April 2026. Affected organizations include Fortinet, Depot, Tenable, Mayo Clinic, and various U.S. state government employees. The exposed emails could lead to phishing attacks and other malicious activities. The vulnerability remains unpatched, raising significant security concerns. Security professionals are urged to monitor for potential misuse of the exposed data. The incident highlights the risks associated with hardcoded credentials in production environments.
Key Points: • 959 email addresses from Fortune 500 firms and government agencies were exposed. • The vulnerability stems from a hardcoded API key in ClickUp's JavaScript bundle. • The issue was first reported in January 2025 and remains unaddressed as of April 2026.