I bumped into this medium post that postman is logging all our secrets. Can you please clarify on how to take steps to secure our secrets and API keys stored in environment variables and not expose that to Postman Cloud ? -
Hey @pavan-kaira 
Welcome to the Postman Community! 
There is a lot of misleading and wrong information in that post. They have basically man-in-the-middle’d their own connection, which is why they can then see it “in plain text”. Postman uses SSL to encrypt data in transit and also encrypts it when stored in the cloud.
More details about this and all the other security information for Postman can be found here:
They were not creating a “secret” string, they used an option to only mask the value in the UI which is mainly used for over the shoulder type attacks. They created a synced value, by placing this in the Initial Value of the variable.
The different between Initial and Current Values can be found here:
An Initial Value is used to facilitate collaboration between members of the same team and also allows you to use your Workspace across different platforms and devices (Desktop Client, Web Client, VSCode extension, etc.).
Essentially, don’t ever hardcode any sensitive data, which is the case for anything and is not specific to Postman. If you are going to use sensitive data in your Collections and Requests, use variables with the {{var_name}} syntax and only place these into the Current Value so it stays local to your machine and isn’t synced.
Make full use of your locally encrypted data store, the Postman Vault. Place all sensitive data in here and then reference the data as a variable.