FeedMalwareClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune ...
MalwareCyber Security News
8.0CRITICAL

ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants

📅 27 April 2026 at 15:34 UTC📰 Cyber Security NewsView original source ↗

A publicly accessible JavaScript file on ClickUp’s homepage has been silently leaking nearly a thousand corporate and government email addresses, including employees from Fortinet, Home Depot, Tenable, Mayo Clinic, and U.S. state government workers, through a hardcoded third-party API key that was first reported in January 2025 and remains unrotated as of April 2026. The […] The post ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants appeared first on Cyber Security News.

🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview

ClickUp's hardcoded API key exposed nearly 1000 email addresses, including employees from prominent organizations such as Fortinet and Mayo Clinic, through a publicly accessible JavaScript file on their homepage.

⚙️Technical Details
Affected Systems
ClickUp's homepage
Attack Vectors
Publicly accessible JavaScript file
💥Impact Assessment
Severity: High
Who Is at Risk
Employees of exposed organizations and potentially anyone who accessed the leaked email addresses
🛡️Recommended Actions
1Rotate ClickUp's API key regularly
2Monitor for any suspicious activity on their homepage
3Implement additional security measures to protect against similar attacks
📦Affected Products
ClickUp software

Read the full article

This is a curated summary. The complete article is available at Cyber Security News.

Read on Cyber Security News
← Back to feed