lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Rocket.Chat

Rocket.Chatcollaboration3 credentials

Credentials3 documented
01

Provisioned Admin Password

rocket-chat / admin-provisioning-password

Rocket.Chat deployment environment variables can provision an admin user during deployment. Rocket.Chat documents deployment variables for configuring and provisioning workspaces without relying on the UI.

generated on installuser definedsecretusername/password

Location

environment
ADMIN_USERNAME, ADMIN_PASS, ADMIN_EMAIL, OVERWRITE_SETTING_Accounts_AdminUsername
public interface
Rocket.Chat login and administration UI
database

MongoDB database storing users, credentials, sessions, and settings

secret store

Docker/Kubernetes secrets, cloud secret managers, and deployment vaults

source code

Docker Compose files, Helm values, tests, and committed deployment manifests

logs

startup logs and provisioning output

Notes

Admin credentials are deployment-specific. Do not treat documentation examples as shipped defaults.

02

Personal Access Token

rocket-chat / personal-access-token

Rocket.Chat supports personal access tokens for API use. Tokens are user-scoped credentials for scripts, bots, and integrations.

user definedsecrettoken

Location

http header
X-Auth-Token, Authorization

Rocket.Chat REST API token or bearer authentication context

database

MongoDB records storing user tokens and sessions

environment
ROCKETCHAT_AUTH_TOKEN, ROCKETCHAT_TOKEN
config file

bot config, integration config, .env files, and deployment manifests

secret store

bot secrets, CI/CD variables, and cloud secret managers

source code

bot scripts, tests, and committed REST clients

logs

REST API traces and bot logs

Notes

Token permissions follow the owning Rocket.Chat user and workspace roles.

03

MongoDB Credentials

rocket-chat / mongodb-credentials

Rocket.Chat stores workspace state in MongoDB and deployments configure MongoDB connection URIs through environment variables. Authenticated URIs can contain database usernames and passwords.

user definedsecretusername/password

Looks like

pattern
pattern

MongoDB URI with username and password used by Rocket.Chat

mongodb(?:\+srv)?://[^\s:@]+:[^\s@]+@[^\s/]+

Location

environment
MONGO_URL, MONGO_OPLOG_URL
config file

Docker Compose files, systemd units, Helm values, and deployment manifests

secret store

Kubernetes Secrets, cloud secret managers, and database password vaults

source code

committed deployment configs and test fixtures

logs

startup logs and MongoDB connection troubleshooting output

Notes

MongoDB access can expose users, password hashes, tokens, messages, files metadata, integrations, and workspace settings.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.