Too Long; Didn't Read
A software developer scanned 2.6 million domains for exposed.env files. He found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal) 98 secret tokens for different APIs and 128 app secrets. The dangerous aspect is that the passwords and secrets are in unencrypted form in the.env file. When the web server is misconfigured and this.env file is delivered by the web. server, anyone can. query this data.