12 Million exposed .env files reveal widespread security failures

Mysterium VPN found 12M IPs exposing .env files, leaking credentials and revealing widespread security misconfigurations worldwide.

Configuration mistakes rarely trigger alarms. A forgotten deny rule, an overlooked server setting, or a full project folder uploaded to production can quietly expose a company’s most sensitive secrets. In many cases, those secrets live inside simple environment files known as .env files.

Researchers at Mysterium VPN identified 12,088,677 IP addresses serving publicly accessible .env-style files.

“Researchers here at Mysterium VPN identified over 12 million IP addresses with publicly accessible .env-style files, revealing credentials and tokens, including JWT signing keys, API keys, database passwords, and service tokens.” reads the report published by Mysterium VPN. “The United States leads the count with nearly 2.8 million exposed IPs, accounting for around 23% of the total IP pool. The issue is global: Japan (1.1M), Germany (777K), India (652K), France (636K), and the UK (583K) also have substantial exposures, showing that this is a global security hygiene problem.”

These files exposed database credentials, API keys, JWT signing secrets, cloud tokens, and other sensitive values. The scale reveals a widespread operational hygiene problem affecting organizations across industries and regions.

A .env file stores key-value pairs that applications load at startup. Developers use them for database URLs, OAuth secrets, SMTP credentials, cloud access keys, and third-party tokens. The format stays simple and convenient. That same simplicity creates risk. If a server allows access to hidden files, anyone can request “/.env” and download live credentials without exploiting a vulnerability.

Attackers who retrieve these secrets skip the break-in phase entirely. They log in with valid credentials, query databases, forge authentication tokens, abuse APIs, or access cloud storage. OWASP guidance stresses strict secret control, rotation, auditing, and least-privilege scoping because exposed secrets often lead directly to compromise.

The exposure spans the globe. The United States accounts for nearly 2.8 million affected IPs, followed by Japan, Germany, India, France, the UK, Singapore, Ireland, Canada, and Australia. Large cloud and hosting footprints explain part of the distribution, but the pattern points to repeated deployment and configuration mistakes across ecosystems—not a single flawed platform.

The consequences can escalate quickly. Database credentials enable data theft and privilege escalation. API keys invite financial abuse and spam campaigns. Leaked JWT secrets allow attackers to forge tokens and hijack accounts. SMTP credentials open the door to phishing from legitimate domains. Cloud storage keys can expose backups, identity documents, and internal files.

These exposures usually stem from preventable errors: missing deny rules for hidden files, reverse proxies forwarding sensitive paths, static roots pointing to entire project directories, container images embedding secrets, or forgotten backup files such as .env.bak or .env.old. Attackers routinely scan for these predictable patterns.

When teams discover an exposed .env file, they must treat the event as a full security incident. Remove public access immediately, purge caches, and rotate every secret in the file. Invalidate tokens, review logs for suspicious access, and implement automated secret scanning in repositories and CI pipelines.

Long term, organizations need layered defenses. Block hidden and backup files at the server and CDN level. Move secrets out of web-accessible directories and into centralized secret management systems with audit logs and automated rotation. Scope keys to minimal permissions, enforce network restrictions, and adopt short-lived tokens. Deploy only approved artifacts and validate that no sensitive files remain publicly reachable.

The Mysterium VPN findings highlight a systemic issue: secret exposure continues at massive scale because teams treat configuration as an afterthought. Security teams must embed secret governance into development workflows, deployment pipelines, and infrastructure baselines. Without that shift, a single overlooked file will keep turning routine deployments into full-scale breaches.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, .env files)