My .env file got leaked — what should I do?

A leak is not only “it hit GitHub.” It is often:

  • Pasted into Slack / Discord / Zoom chat.
  • Attached to a support ticket “for debugging.”
  • Uploaded to a pastebin or gist.
  • Included in a screenshot or Loom recording.

Assume fast indexing and unknown copies. Your playbook overlaps committed API key for rotation — but containment starts differently.

1. First 15 minutes: stop the spread

  1. Delete the message / attachment where you can (Slack admin may be needed).
  2. Do not post the secret again while asking for help — describe it as “the .env from repo X around 14:00 UTC.”
  3. Screenshot internal evidence redacted for your incident log.

Slack documents retention and admin controls — know your workspace settings: Slack data management.

2. Rotate everything in that file (assume full compromise)

Unlike a single stray token, .env usually contains many secrets at once:

  • Database URLs
  • Third-party API keys
  • JWT signing secrets
  • Internal service tokens

Order: protect data stores first (revoke network access if possible), then third parties, then signing secrets (may invalidate sessions — plan a maintenance window).

Use the detailed checklist: rotate API keys safely.

3. If it was only internal Slack (private workspace)

Risk is lower than public GitHub but not zero:

  • Compromised Slack accounts, export tools, legal hold archives.
  • Mobile clients with offline cache.

Still rotate high-value keys; for low-risk dev-only sandboxes, follow company policy.

4. If database credentials were inside

Follow recover from exposed database credentials.

5. Aftercare: culture + tooling

Related