RESEARCHERS at Mysterium VPN identified 12,088,677 IP addresses serving publicly accessible .env-style files, exposing credentials and tokens such as API keys, database passwords, and JWT signing keys. According to Mysterium VPN, the United States leads the count with nearly 2.8 million exposed IPs, accounting for around 23% of the total, with Japan, Germany, India, France and the UK also having substantial exposures.
The findings illustrate a global security hygiene problem, where misconfigurations allow attackers to skip the break-in phase by retrieving secrets directly from publicly accessible files. Exposed secrets can enable data theft, privilege escalation, forged tokens and abuse of cloud services, underscoring the risk across industries and regions. The report calls for elevated secret governance, automated secret scanning, and moving secrets to centralised management with audit logs, rotation and restricted access.