lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Mattermost

Mattermostcollaboration3 credentials

Credentials3 documented
01

Database Credentials

mattermost / database-credentials

Mattermost server configuration can be supplied through config.json, database-backed configuration, or environment variables. Database connection strings are explicitly called out in Mattermost configuration documentation.

user definedsecretusername/password

Looks like

pattern
pattern

Mattermost SQL data source connection string containing username and password

(?:postgres|mysql)://[^\s:@]+:[^\s@]+@[^\s/]+

Location

config file
config.json

Mattermost SqlSettings DataSource and related database settings

environment
MM_SQLSETTINGS_DATASOURCE, MM_SQLSETTINGS_DRIVERNAME
secret store

Kubernetes Secrets, cloud secret managers, CI/CD variables, and database password vaults

source code

committed config.json, Helm values, Docker Compose files, and tests

logs

startup logs and database connection troubleshooting output

Notes

Database access can expose users, sessions, personal access tokens, channels, files metadata, and plugin configuration.

02

Personal Access Token

mattermost / personal-access-token

Mattermost personal access tokens authenticate against the API and are equivalent to regular session tokens for many purposes. Mattermost documents that personal access tokens are cryptic random IDs and can be used with AD/LDAP and SAML accounts.

user definedsecrettoken

Location

http header
Authorization

Bearer token used for Mattermost API requests

database

Mattermost database token/session tables storing token state

environment
MATTERMOST_TOKEN, MM_ACCESS_TOKEN
config file

bot config, integration config, .env files, and deployment manifests

secret store

CI/CD variables, bot secret stores, and cloud secret managers

source code

bot scripts, tests, and committed integration clients

logs

API client traces and automation logs

Notes

Token blast radius depends on the creating user's permissions and any additional roles granted for token use.

03

User Password

mattermost / user-password

Mattermost users authenticate with local, LDAP, SAML, or other configured authentication backends. Local passwords and sessions are stored in the Mattermost database.

user definedsecretusername/password

Location

database

Mattermost database storing user account and password/session verifier data

public interface
/login, Mattermost API

Mattermost web login and API endpoints

config file

local dev config, test fixtures, and LDAP bind settings

secret store

password vaults and identity provider secrets

logs

authentication logs and web server traces

Notes

Login credentials may live in Mattermost itself or in connected LDAP/SAML identity providers depending on site configuration.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.