12 Million exposed .env files reveal widespread security failures
12 Million exposed .env files reveal widespread security failures
Publish Date: 2026-02-27 03:03:00
Source Domain: securityaffairs.com
12 Million exposed .env files reveal widespread security failures
Pierluigi Paganini
February 27, 2026
Mysterium VPN found 12M IPs exposing .env files, leaking credentials and revealing widespread security misconfigurations worldwide.
Configuration mistakes rarely trigger alarms. A forgotten deny rule, an overlooked server setting, or a full project folder uploaded to production can quietly expose a company’s most sensitive secrets. In many cases, those secrets live inside simple environment files known as .env files.
Researchers at Mysterium VPN identified 12,088,677 IP addresses serving publicly accessible .env-style files.
“Researchers here at Mysterium VPN identified over 12 million IP addresses with publicly accessible .env-style files, revealing credentials and tokens, including JWT signing keys, API keys, database passwords, and service tokens.” reads the report published by Mysterium VPN. “The United States leads the count with nearly 2.8 million exposed IPs, accounting for around 23% of the total IP pool. The issue is global: Japan (1.1M), Germany (777K), India (652K), France (636K), and the UK (583K) also have substantial exposures, showing that this is a global security hygiene problem.”
These files exposed database credentials, API keys, JWT signing secrets, cloud tokens, and other sensitive values. The scale reveals a widespread operational hygiene problem affecting organizations across industries and regions.
A .env file stores key-value pairs that applications load at startup. Developers use them for database URLs, OAuth secrets, SMTP credentials, cloud access keys, and third-party tokens. The format stays simple and convenient. That same simplicity creates risk. If a server allows access to hidden files, anyone can request “/.env” and download live credentials without exploiting a vulnerability.
Attackers who retrieve these secrets skip the…
