I was casually looking around a public education website when I stumbled on something unexpected, a JavaScript file packed with sensitive internal data. At first, I thought it was just some leftover debug script, but as I kept scrolling, things got more interesting (and a little concerning).

Inside the file were hardcoded secrets, CI/CD details, internal repository links, email addresses of real employees, and even references to internal comms like Slack and Teams. All of this was publicly accessible which it shouldn’t be.

This blog walks you through how I found it, what kind of data was exposed, and why stuff like this is more common (and dangerous) than people realize. Sometimes you’ll come across things in a JS file that might seem as informative bug. This post will help you learn how to spot the kind of information that’s actually confidential, and why it’s worth keeping an eye out for it.

This started out like any other recon session. I was enumerating subdomains for a well-known company when I came across one that looked a little off nothing major, just a bit outdated and kinda weird lol.