ClickUp API Key Exposure Reportedly Revealed 959 Corporate and Government Email Addresses

ClickUp is facing scrutiny after a security researcher reported that a hardcoded API key in a public JavaScript file exposed 959 email addresses and 3,165 internal feature flags.

The reported exposure affected email addresses tied to major companies and government bodies, including Fortinet, Home Depot, Autodesk, Tenable, Mayo Clinic, Permira, Akin Gump, several U.S. state government workers, Queensland government users, New Zealand government users, a Microsoft contractor, and ClickUp employees.

The issue matters because ClickUp is widely used as a workplace productivity platform. A leak of corporate email addresses may not expose passwords or private documents by itself, but it can give attackers a cleaner target list for phishing, credential theft, and social engineering campaigns.

What happened with ClickUp’s hardcoded API key

The researcher said the issue started with ClickUp’s public homepage. By inspecting the page source, the researcher found an API key inside a JavaScript file that loaded before user authentication.

The key reportedly allowed an unauthenticated GET request to return 959 email addresses. The same response also returned 3,165 internal feature flags, which can reveal product experiments, beta features, and internal platform behavior.

Hardcoded secrets in client-side JavaScript create risk because browsers download the code directly. Anyone who visits the page can inspect the files, extract exposed keys, and test what the key can access.

Why the leaked email addresses matter

Email addresses often look harmless compared with passwords, tokens, or documents. In enterprise security, they still carry value.

Attackers use verified company email addresses to build targeted phishing campaigns. They can impersonate IT support, payroll, executives, vendors, or SaaS providers with more believable messages.

i went to https://t.co/GYtMjd81a6. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request.

got back 959 email addresses and 3,165 internal feature flags.

employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic.… pic.twitter.com/C0ss5T6at1

— impulsive (@weezerOSINT) April 27, 2026

The risk grows when affected addresses belong to security vendors, government departments, healthcare organizations, and large enterprises. Employees at those organizations often handle sensitive systems, internal tools, or privileged workflows.

Key details at a glance

Detail	Reported information
Platform	ClickUp
Issue	Hardcoded third-party API key in public JavaScript
Reported data exposed	959 email addresses
Additional exposed data	3,165 internal feature flags
Authentication needed	None, according to the researcher
First reported	January 17, 2025
Still active	Reportedly still unrotated in April 2026
Main risks	Phishing, credential attacks, social engineering, product intelligence leakage

The exposure also raises questions about secret rotation. The researcher said the issue was reported through HackerOne in January 2025, yet the same key remained usable more than 15 months later.

That timeline makes the case more serious. Secret leaks usually require fast containment, even when exposed data looks limited. The standard response includes revoking the key, rotating related credentials, limiting API scope, reviewing logs, and notifying affected users where needed.

Feature flags add another layer of concern

The leaked feature flags could also create business and security concerns. Feature flags often show unfinished features, internal tests, rollout rules, and configuration details.

For competitors, that data can reveal product direction. For attackers, it may help identify hidden surfaces, staged features, or workflows that have not received the same level of public scrutiny.

Feature flags do not always contain sensitive data. However, exposing thousands of them through an unauthenticated request gives outsiders more insight into how a platform operates.

What ClickUp users should do

Organizations using ClickUp should treat the report as a vendor-risk issue and review their exposure. The main concern is targeted abuse of exposed email addresses, not direct access to ClickUp workspaces.

Security teams should warn employees about ClickUp-themed phishing attempts. Attackers may use the story as a hook to send fake password reset emails, fake security notices, or fake workspace alerts.

Admins should also review ClickUp account protections, especially for users with elevated access.

Recommended steps:

• Enable multi-factor authentication for ClickUp accounts.
• Review SSO and identity provider logs for suspicious sign-in attempts.
• Warn employees about ClickUp-themed phishing emails.
• Check whether exposed users hold admin, IT, finance, or security roles.
• Review vendor-risk documentation and request an update from ClickUp.
• Monitor for suspicious messages that reference ClickUp workspaces, tasks, or security alerts.

What ClickUp should address

ClickUp should rotate the exposed API key and review whether related keys or tokens were also exposed. It should also determine how long the key was accessible and what requests were made with it.

The company should also clarify whether the exposed emails belonged to active customers, trial users, employees, vendors, or mixed datasets. That distinction matters for notification, compliance, and customer trust.

A full response should include the root cause, affected data categories, containment steps, and whether any abuse was detected.

FAQ