ClickUp Left an API Key in Its Homepage JavaScript for 15 Months—959 Fortune 500 Emails Were on the Other End

What Was Sitting in Plain View

The researcher who disclosed the bug, posting under @weezerOSINT on X, found a Split.io SDK token hardcoded into a JavaScript bundle that loads on ClickUp's public homepage. Split.io is a feature flagging service that decides which users see which experimental features. Its tokens are designed to be queried server side. ClickUp put one in front end code that anybody could read by hitting Ctrl+U.

A single GET request to Split.io's API, using the leaked token, returned the full feature flag catalog: configuration toggles, A/B test groups, and the email addresses tied to each flag. The data dump included:

• 71 ClickUp employees along with their internal feature assignments
• A Microsoft contractor working with the platform
• Engineers and security staff from Home Depot, Fortinet, Autodesk, Tenable, Rakuten, and Mayo Clinic
• Lawyers from Akin Gump, one of the largest US law firms
• Government workers in Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand
• 3,165 internal feature flags exposing beta features, kill switches, and product roadmap signals

ClickUp raised $535 million at a $4 billion valuation and lists SOC 2, ISO 27001, and PCI DSS certifications on its trust page. The certifications did not catch a hardcoded credential sitting in production JavaScript for over a year.

The HackerOne Report ClickUp Sat On

The first responsible disclosure report arrived in ClickUp's HackerOne queue on January 17, 2025. ClickUp triaged it, marked it as accepted, and according to multiple researchers familiar with the timeline, took no remediation action.

When @weezerOSINT filed a second report fifteen months later, in April 2026, ClickUp closed the new ticket as a duplicate of the January 2025 report and marked it resolved. The key was still active. The researcher confirmed data was still live minutes before public disclosure.

That is the part that should sting any compliance officer reading this. ClickUp's certification renewals happened during the exposure window. SOC 2 Type II audits sample security controls; the auditors either never looked at the homepage source or looked and decided a hardcoded production token was an acceptable risk.

Why a List of Email Addresses Is Worse Than It Sounds

A list of 959 corporate emails sounds modest next to the 6.8 billion address dump that hit BreachForums earlier this year. It is not. The ClickUp leak is qualitatively more dangerous because it is selected rather than aggregated.

Every email on this list belongs to someone who:

• Works at a named, identifiable employer (Home Depot, Mayo Clinic, etc.)
• Has decision making access inside ClickUp's enterprise platform
• Is presumably authorized to approve workflow changes, access projects, or hand out new permissions

A phishing crew with this list does not need to spray; they can write one carefully targeted email per victim. Hand it to a vendor pretending to be ClickUp ("we noticed unusual activity on your enterprise account, click here to verify"), and the conversion rate jumps from fractions of a percent to double digits. This is the precise attack pattern currently being used to steal payroll deposits and SSO tokens from US employees.

The 3,165 feature flags are a parallel disaster. Several leaked entries reportedly mapped beta features to specific customer cohorts, exposing which clients are testing which unreleased ClickUp products. For a competitor, that is a free roadmap. For a social engineer, it is a way to drop the right project name into a fake support email and look authentic.

The Pattern: SaaS Vendors Become Email Pipelines

ClickUp is the latest entry in a 2026 trend that should worry every security team that ever onboarded a productivity SaaS. The pattern is now consistent enough to predict: the SaaS itself does not get encrypted, ransomed, or directly breached. Instead, the SaaS leaks the list of who uses it, and that list becomes the targeting input for the next wave of phishing.

In the past 60 days alone, Crunchyroll lost 6.8 million customer emails through one infected call center laptop, Carnival's Mariner Society had 7.5 million email addresses pulled from a single compromised inbox, and Adobe lost 13 million customer support tickets via one phishing email. Every one of those leaks is now feeding inboxes with tracking pixels and tailored phishing.

ClickUp's mistake is the same kind, just earlier in the chain. There is no breach of customer data—just an unprotected directory listing of who works with ClickUp. That directory listing is exactly the input that fuels the breaches one quarter from now.

What Engineering Teams Should Do Today

If your team uses ClickUp, the immediate question is whether anyone on your domain is in the leaked file. The leaked emails were collected at conferences, demos, and free trial signups in addition to active accounts, so the exposure is broader than your paid seats.

Three actions worth doing now:

• Treat any ClickUp related email landing in your inbox this month as suspicious. Unusual login alerts, "your trial is expiring," password reset prompts—every single one is a credible phishing template after this leak.
• Audit your own front end JavaScript for hardcoded tokens. The Split.io SDK is widespread; so is Stripe, Segment, LaunchDarkly, and Mixpanel. ClickUp's mistake takes thirty seconds to repeat in any framework that ships environment variables to the browser.
• Block tracking pixels in business inboxes. A targeted phishing email with a tracking pixel tells the attacker which user opened, on which device, and from where—telemetry that powers the next step attack.

The more uncomfortable lesson is one ClickUp's certificates cannot paper over: a SOC 2 auditor will not check your homepage source code. A bug bounty program will not fix what its triage marks as resolved. The ticket on HackerOne sat for fifteen months, and the only thing that finally moved it was a researcher willing to publish.