How do exposed .env files get discovered?
Attackers use automated scanners that check thousands of common paths like /.env, /wp-config.php.bak, and /.git/config. If your file is accessible, they will find it within hours.
What damage can an exposed .env file cause?
A .env file typically contains database passwords, API keys, and secret tokens. With these, an attacker can access your database, impersonate your services, and pivot to other systems.