Cybernews researchers have discovered severe misconfigurations affecting two Tencent sites, exposing sensitive credentials and internal source code. The critical flaws could potentially grant full access to internal services and backend infrastructure within Tencent Cloud. Tencent explained after the publication that no data was exposed and that the findings relate to a honeypot deployed as a security test.
-
Severe misconfigurations have been discovered on two Tencent Cloud sites, exposing sensitive credentials and internal source code. Tencent later explained these were honeypots
-
The environment files with hardcoded administrative console credentials and the .git directory have been publicly accessible for months, posing risks to millions of Tencent Cloud users.
-
Tencent acknowledged it as a “known issue” and closed access.
On July 23rd, 2025, the Cybernews research team discovered inadvertently exposed configuration files for two subdomains of the official Tencent Cloud domain.
The exposed files included hardcoded plain-text passwords, a sensitive internal .git directory, and other information that external attackers could potentially abuse.
One of the affected services was related to Tencent’s internal load balancer, and another subdomain was a deployment of JEECG, an open-source development platform promoted by Tencent Cloud.
The hardcoded credentials appeared to grant direct access to Tencent Cloud’s administrative console.
“If found by a malicious actor, these credentials could allow full access to backend infrastructure or internal services within Tencent Cloud,” Cybernews researchers said.
Additionally, the exposed .git folder, used for storing project history and tracking changes to files over time, allowed downloading and reconstructing the source code of Tencent Cloud’s infrastructure internal deployment. Root credentials for the console were discovered here.
The exposed passwords were also weak and vulnerable to dictionary attacks. They were composed using the company name, the year, and some symbols.
Further investigation of historical data revealed that the sensitive files had been exposed for a few months, since at least April 2025.
Cybernews responsibly disclosed the findings to Tencent Cloud. The company acknowledged the issues as a previously “known issue” that had been reported before. The leak is now closed. Cybernews reached out to the company for a comment, but had not received a response by the time of publishing. The company responded with a statement after publication.
“The reports are incorrect. No user data was exposed, and no business operations were ever put at risk. The system referenced was an intentionally deployed honeypot, which is a time-limited security measure designed and created to test defenses, and it has already been taken offline. This is also a common and standard security practice being used across the industry,” said Tencent in a statement.
An open door for hackers
If hackers were to find the publicly accessible configuration files, the potential implications could’ve been severe, potentially leading to extremely damaging cyberattacks against the company and its users worldwide.
“It opens up the whole trove of ways to exploit access like that,” the Cybernews researchers said.
“The prolonged exposure raises alarming questions about how many scraping bots have already accessed this data and whether it has already been used for malicious purposes.”
A malicious actor with access to the misconfigured files and directories could potentially do the following:
- Gain full administrative access to the production systems
- Tamper with internal API services
- Attach malicious payloads to the trusted front-end code
- Pivot further into Tencent’s internal cloud infrastructure
- Or simply abuse the trusted Tencent domain for malicious phishing campaigns
“When the stakes involve cloud consoles, source code, and root access, there’s no such thing as a small leak. Tencent Cloud is a reputable and technically advanced platform, yet no one is immune to even basic operational oversights,” our researchers explained.
Cybernews researchers haven’t attempted to access password-protected services or clone the internal repositories. However, the visible exposed data suggested that it was used for staging and production environments, indicating that both environments may be impacted.
“We live in the age when developers are encouraged to blindly trust the cloud. This leak demonstrates that even minor errors can escalate into high-risk failures, creating a cascading chain of vulnerabilities down the supply chain,” our researchers said.
“Giants like Tencent carry a weight, and attackers are fully aware of how much trust users place in big brand names.”
Tencent Cloud is a major global cloud provider and a division of Tencent Holdings, one of China’s largest technology companies, serving over 10 million users. Its infrastructure powers services across well-known gaming, finance, communication, and enterprise applications, reaching millions of users worldwide daily.
- Leak discovered: July 23rd, 2025
- Initial disclosure: July 24th, 2025
- Acknowledgement: July 24th, 2025
- Leak closed: before August 25th, 2025
- Public disclosure: August 27th, 2025
Updated on August 29th [08:05 a.m. GMT] with a statement from Tencent
Your email address will not be published. Required fields are markedmarked