Postman Workspaces Expose Over 30,000 Sensitive Data Items
/ 1 min read
🔍 Over 30,000 Public Workspaces Expose Sensitive Data on Postman. A year-long investigation by CloudSEK revealed critical security vulnerabilities in Postman Workspaces, a widely used API development platform, leading to the exposure of sensitive information such as API keys, tokens, and administrator credentials. Major platforms like GitHub, Slack, and Salesforce were among those affected, with leaks stemming from misconfigured access, plaintext storage, and inadvertent public sharing. To mitigate risks, CloudSEK recommends using environment variables, rotating tokens, and adopting secret management tools. In response to these findings, Postman has initiated a secret-protection policy to alert users of exposed data and remove public workspaces containing sensitive information.
