12 million IPs exposed sensitive .env files

As outlined in Security Affairs, a significant security lapse has been uncovered by Mysterium VPN, revealing that over 12 million IP addresses worldwide are exposing sensitive information through publicly accessible .env-style files. This widespread issue highlights a critical gap in operational security hygiene across numerous organizations.

Researchers identified approximately 12,088,677 IP addresses serving .env files, which commonly store environment variables for applications. These files contained a range of sensitive data, including database passwords, API keys, JWT signing secrets, and cloud service tokens. The United States leads the exposed IPs with nearly 2.8 million, followed by countries such as Japan, Germany, India, France, and the UK. The exposure stems from common configuration errors, such as missing deny rules for hidden files or incorrect server configurations, allowing direct access to these critical credentials without exploiting vulnerabilities. Attackers can leverage this information to bypass initial access stages, directly accessing databases, forging authentication tokens, or abusing APIs.

The widespread exposure of .env files points to a systemic problem in how organizations manage secrets, treating configuration as an afterthought. This necessitates a shift towards embedding robust secret governance into development workflows and deployment pipelines. Immediate remediation involves removing public access, rotating all exposed secrets, and invalidating tokens. Long-term solutions include implementing automated secret scanning, blocking access to hidden files at the server and CDN level, and utilizing centralized secret management systems with audit logs and automated rotation to mitigate future risks and prevent breaches.

Source: Security Affairs