ClickUp Discloses Feature Flag Misconfiguration That Exposed 893 Customer Email Addresses and a Live API Token

**Executive summary:** ClickUp exposed 893 customer email addresses and one live customer API token by embedding them in Split.io feature-flag targeting rules that are retrievable via the public client-side SDK key; the issue was discovered publicly on April 27, 2026 and ClickUp removed the PII, invalidated the token, notified affected customers, and implemented automated detection and secrets scanning for flag configurations.