ClickUp API Key Leak Exposes Hundreds of Enterprise Emails Over a Year
What Happened — A hard‑coded ClickUp API key was discovered in a public repository, allowing anyone to query the ClickUp API and retrieve email addresses of hundreds of corporate and government users for more than twelve months.
Why It Matters for TPRM —
- SaaS providers can unintentionally expose sensitive data through insecure code practices.
- Third‑party email addresses are often used for phishing and credential‑stuffing campaigns against client organizations.
- Long‑standing exposure increases the risk of downstream breaches in downstream supply‑chain relationships.
Who Is Affected — Enterprises across multiple sectors (technology, finance, government) that use ClickUp for project management and collaboration.
Recommended Actions —
- Review all integrations with ClickUp and verify that API keys are rotated and stored securely.
- Conduct a focused email‑address inventory to identify any exposed addresses and enforce MFA.
- Update vendor risk assessments to include secure‑coding and secret‑management controls for SaaS providers.
Technical Notes — The leak stemmed from a hard‑coded API token (no authentication rotation) that granted read‑only access to the /users endpoint, leaking email addresses. No CVE is associated; the issue is a misconfiguration/secret‑management failure. Source: TechRepublic Security