Researchers uncover leaked API keys on nearly 10,000 websites

A team led by Nurullah Demir at Stanford University in California scanned 10 million web pages and found 1,748 verified, active API credentials from services such as Amazon Web Services, Stripe, GitHub, and OpenAI. These were scattered across nearly 10,000 websites, with affected organizations including a global systematically important financial institution, a firmware developer, and a major hosting platform, alongside banks and healthcare providers. The exposed credentials, such as those potentially revealing RSA private keys, could allow attackers to impersonate servers, decrypt communications, or seize administrative control of company infrastructure. 84% of the leaks appeared in JavaScript environments, likely due to bundler tools used by developers, while 16% came from third-party resources like plugins. The credentials had been publicly accessible for an average of 12 months, with some online for up to five years. Researchers notified the affected companies, and about 50% removed the keys within two weeks, though some did not respond. Katie Paxton-Fear at Manchester Metropolitan University noted that many developers did not intend to be insecure, attributing exposures to programming quirks in development pipelines. Nick Nikiforakis at Stony Brook University highlighted that leaked API keys enable attackers to act as authorized users, posing risks in modern software development. Demir emphasized shared responsibility: developers must configure environments properly, tool creators should hide keys by default, and hosts should scan and deactivate leaks promptly. The findings are detailed in a paper on arXiv (DOI: 10.48550/arXiv.2603.12498).