Information Disclosure · Critical

The Dump That Almost Killed a Unicorn

How a publicly accessible Spring Boot heapdump exposed production database credentials at a high-growth startup.

I downloaded a JVM heapdump. Found prod DB credentials inside. Logged in. Because why not?

The Setup

This wasn’t your average startup. They were big. Over $200M raised. Seven-figure monthly active users. Engineers all over the place. And then… there was /actuator/heapdump just vibing publicly on one of their subdomains.

curl request to actuator heapdump endpoint — Publicly accessible Spring Boot heapdump endpoint

Downloaded the dump. Heavy one. Decided to go old school on it:

strings heapdump | grep -E "jdbc:mysql://|password="

Extracting database credentials from heapdump using strings — Extracting database connection strings from the heapdump

And there it was. Nestled in the memory dump like a warm forgotten cookie — their production database credentials.

mysql -h unicorn-db.ap-south-1.rds.amazonaws.com -u appadmin -p
# Enter password: (spoiler: it worked)

Successful login to production database using extracted credentials — Successful authentication to the production database

Disclosure Time

I reached out quietly to report the issue. No big announcement. No public tweets. Just a polite message saying, “Hey, your prod DB credentials are publicly downloadable.”

The endpoint was taken down. The credentials were changed. But they never replied.

They fixed it. Silently. Without a single thank-you.

A Message to Other Startups

Spring Boot Actuator endpoints should never be exposed in production
Audit staging and debug endpoints before deployment
Heapdumps can contain sensitive secrets and credentials

Some startups spend millions on DevOps but skip the basics that matter.

Proactive, Not Reactive

If you’re a founder reading this — security doesn’t have to be expensive. But ignoring it could be.