A major security concern has emerged as researchers discovered over 30,000 publicly accessible Postman workspaces exposing sensitive data and credentials. The findings reveal widespread misconfigurations putting organizations, their employees, customers, and partners at risk.
Postman, a popular collaborative platform used for API development and testing, has become a source of data leaks due to improper security settings. The exposed information includes access tokens, administrator credentials, payment processing API keys, and access to internal systems.
The research team at CloudSEK found that organizations across different industries and sizes were affected by these misconfigurations. Major platforms like GitHub showed 5,924 exposures, while Slack had 5,552 cases and Salesforce recorded 4,206 incidents. Healthcare providers, athletic apparel companies, and financial services were among the most impacted sectors.
The security implications are severe, as malicious actors could potentially exploit these vulnerabilities for financial fraud and data breaches. The leaked information provides access to various third-party APIs and internal systems, creating multiple attack vectors.
In response to these findings, CloudSEK has notified affected organizations about the security risks. Postman has implemented new protective measures, including automated secret detection and user alerts when sensitive information is detected in public workspaces.
This discovery highlights the need for organizations to regularly audit their workspace configurations and implement proper security protocols to protect sensitive data from unauthorized access.