ClickUp Data Leak Exposes Enterprise Emails for Over a Year

A hardcoded third-party API key embedded in ClickUp's public JavaScript allowed unauthenticated access to a backend endpoint, exposing 959 corporate and government email addresses and 3,165 internal feature flags for more than a year; the prolonged exposure raises the risk of targeted phishing, credential stuffing, and intelligence gathering and underscores the need for stricter API key hygiene, access controls, and third-party SaaS security practices.