I'm Adam — a security researcher who locates exposed systems, leaked credentials, and misconfigurations on the open web, then quietly tells the owners how to fix them. No exploitation. No ransom. Just a heads-up.
Most exposed secrets aren't discovered by hackers first — they're discovered by whoever happens to look. I make sure that's someone on your side.
Adam is an independent security researcher working under the name White Web Security. The work is simple to describe and uncomfortable to ignore: scanning the public internet for the things that should never be public — exposed environment files, open .git directories, leaked database dumps, misconfigured servers and forgotten backups.
When something turns up, nothing gets touched, downloaded, or sold. The finding is documented, the owner is located, and a clear report goes out under responsible disclosure — with enough detail to fix it and nothing more. The goal is never the credentials. It's the email that says "we rotated everything, thank you."
Plain-English playbooks for the moment you realise something sensitive is public. Don't panic — work the checklist.
Database passwords, API keys, JWT secrets — assume all of them are now public. Here's how to rotate fast and check what was reached.
Open guide .git/configAn open .git folder can leak your whole source history — and the secrets committed into it. Here's how to close it and assess the damage.
Open guide sftp.jsonThis file stores your SFTP host and password in plain text — often root. Assume the box is compromised and move fast: rotate, lock down, read the logs.
Open guide MySQL :3306An open MySQL on port 3306 lets anyone read or wipe your data — and ransom bots love it. Close it, rotate, recover from backups.
Open guide MongoDB :27017The classic ransom target: open Mongo gets its databases dropped and replaced with a note. Lock it down and recover from backups — don’t pay.
Open guide Elasticsearch :9200An open cluster on :9200 dumps every indexed log and record in one request. Secure it, then assume it was scraped.
Open guide Registry :5000No auth means anyone can pull your private images — source code and baked-in secrets included. Close it and rotate.
Open guide VNC :5900A passwordless VNC is your live desktop, open to the world. Cut its access now and treat the machine as compromised.
Open guide NFS :2049A world export lets anyone mount your shares and read the files. Restrict the exports and firewall NFS.
Open guide RabbitMQ :5672guest/guest on an exposed broker means anyone can read and inject messages. Disable the default user and rotate.
Open guide /actuatorPublic /actuator leaks your config via env and live secrets via heapdump. Restrict it and rotate everything.
Open guide Firebird :3050SYSDBA / masterkey unchanged on an open server is full admin for anyone. Change it and firewall port 3050.
Open guide wp-config.phpWordPress's config holds DB credentials and secret keys in plain text. Move it above the web root and rotate everything.
Open guide .git/indexThe index lists every tracked file with SHA hashes — git-dumper can use it to reconstruct your entire source code without a token.
Open guide .swp / .swoEditors create swap files automatically. If one landed in your web root, it may contain passwords from the file you were editing.
Open guide id_rsa / id_ed25519A public private key means anyone can log into every server where it's authorised — no password needed. Revoke it everywhere, immediately.
Open guide backup.sqlA public dump means your entire database — every record, user, and potentially hashed password — is downloadable. Remove it and assess the damage.
Open guide terraform.tfstateTerraform stores AWS keys, DB passwords and service account credentials in plain text inside .tfstate. Rotate every cloud credential immediately.
Open guide serviceAccountKey.jsonExposed GCP/AWS/Firebase credentials mean an attacker can make API calls as your service account. Revoke and regenerate before they do anything with it.
Open guide appsettings.json.NET's config file holds connection strings, API keys and secrets. Rotate everything inside it and move secrets to environment variables.
Open guide application.propertiesSpring Boot's config contains datasource passwords and API credentials. Rotate them and use Spring profiles properly to keep secrets out of the web root.
Open guide config.phpPHP config files hold database credentials in plain text. Change the DB password and move the file outside the web root.
Open guide settings.pyDjango's SECRET_KEY and database passwords were public. Rotate the SECRET_KEY (it invalidates all sessions) and the DB password immediately.
Open guide web.configIIS's web.config can contain database connection strings and encryption keys. Rotate credentials and move secrets to environment variables.
Open guide .travis.yml / JenkinsfilePlain-text tokens or API keys in CI config are now public. Revoke them in every provider and switch to encrypted environment variables.
Open guide .docker/config.jsonDocker's auth config holds base64-encoded registry tokens. Revoke them in your registry and use a credential helper instead of storing tokens in files.
Open guide .htpasswdHashed passwords are offline-crackable. Move the file outside the web root and reset all protected-area passwords.
Open guide secrets.json / .npmrcGeneric credential files (secrets.json, auth.json, .npmrc) may hold API tokens and access keys. Identify what's inside, revoke each one, and regenerate.
Open guide CLAUDE.md / .cursorrulesAI coding assistant configs often contain system prompts with internal architecture details, business logic, and sometimes API keys. Find out what was exposed and lock it down.
Open guide .netrcThe .netrc file stores plaintext passwords for FTP, SFTP, HTTP and Git hosts. An exposure means every listed service is immediately accessible to anyone who read it.
Open guide docker-compose.ymlCompose files routinely contain database passwords, API keys and SMTP credentials in plain text inside environment: blocks. Rotate everything and move secrets out of the file.
Open guide /storage/logs/laravel.logLaravel error logs contain database DSNs and API keys that spill into exception messages. Block the path, rotate every credential in the log, and set APP_DEBUG=false in production.
Open guideNo surprises, no pressure, no fee. Every report follows the same predictable path — and you stay in control of the fix.
Findings come from read-only observation of what's already public. Nothing is accessed beyond what proves the issue exists.
The exposure, its location, and its impact are written up clearly — kept confidential between you and me.
I find your security contact and send the report directly, with everything you need to verify and remediate.
Rotate secrets, close the hole, review your logs. I'm available for questions and will never publish without your say-so.
If a heads-up ever saved you a very bad week, you can say thanks.