ClickUp Discloses Feature Flag Misconfiguration That Exposed 893 Customer Email Addresses and a Live API Token

Feature‑flag platforms such as Split.io, LaunchDarkly, and similar services rely on a public client‑side SDK key to evaluate flags in browsers. This design is intentional: the key is embedded in the JavaScript bundle so that end‑users can receive real‑time feature toggles without server round‑trips. However, the same openness means any data stored inside flag definitions—especially targeting rules—can be retrieved by anyone who knows the key. When ClickUp embedded raw customer email addresses in those rules, the information became instantly searchable via the splitChanges endpoint, turning a benign architectural choice into a privacy exposure.

ClickUp’s incident underscores a broader industry challenge. While the company’s engineering team used the flag system for beta rollouts, they treated the configuration as an internal data store, overlooking that the SDK key makes the entire flag payload public. The leaked live API token, added to a rate‑limiting flag, further illustrates how ad‑hoc fixes can compound risk. Although no malicious activity was detected beyond the researcher’s probe, the exposure of nearly a thousand email addresses and a credential highlights the need for rigorous review of what is stored in feature‑flag metadata, especially in SaaS environments handling third‑party data.

Moving forward, firms should adopt automated secret‑scanning and PII‑detection tools within their flag‑deployment pipelines, similar to the safeguards ClickUp now implements. Policies must explicitly forbid the inclusion of personally identifiable information or credentials in flag configurations, and peer‑review processes should be augmented with static analysis checks. By treating feature‑flag definitions as part of the attack surface, organizations can prevent accidental data leaks and maintain compliance with privacy regulations, reinforcing trust among customers and partners.