ClickUp API Key Exposed for Over a Year, Exposing Customer Data

Cyber News - Erez Dasa reports a critical information leak from ClickUp, a widely used productivity platform. A security researcher, known for uncovering a previous leak at Lovable, claims that an API key on ClickUp’s public source page grants unauthorized access to customer data. This isn’t a new discovery; the researcher reportedly informed ClickUp over a year ago, but the issue remained unaddressed, prompting public disclosure.

The implications are significant. An exposed API key with access to customer information is a direct pipeline for data exfiltration. The fact that this vulnerability persisted for over twelve months after initial notification highlights a severe breakdown in ClickUp’s security response protocols. This isn’t just a technical oversight; it’s a strategic failure to prioritize researcher findings.

For defenders, this incident underscores the critical importance of validating and remediating publicly exposed credentials, especially on platforms like GitHub or similar source code repositories. It also serves as a stark reminder that ignoring researcher disclosures doesn’t make a problem disappear; it merely delays the inevitable public exposure, often with greater reputational and regulatory consequences.