Researchers Find 1,748 Valid API Keys Exposed Across Public Websites
Researchers from Stanford University, the University of California, Davis, and TU Delft found 1,748 valid API credentials exposed across roughly 10,000 public webpages after analyzing about 10 million websites, revealing a broad secret-leakage problem outside traditional code repositories. The credentials, identified with TruffleHog and detailed in the study Keys on Doormats: Exposed API Credentials on the Web, provided access to services including AWS, GitHub, Stripe, and OpenAI. The exposed secrets were tied to multinational corporations, critical infrastructure operators, government agencies, and at least one global bank.
Most of the exposed credentials were embedded in JavaScript resources, often inside bundled files generated by tools such as Webpack, creating direct paths into cloud infrastructure, payment systems, and software repositories. Researchers said AWS keys made up more than 16% of verified exposures, and cited cases including cloud credentials linked to a global bank’s core infrastructure and firmware repository credentials associated with drones and remote-controlled devices, raising the risk of malicious firmware updates. After responsible disclosure, the number of exposed credentials dropped by about half within two weeks, but the study found such secrets often remain publicly accessible for an average of 12 months and sometimes for years.
Timeline
Mar 27, 2026
Exposed credential count drops by about half within two weeks
Within two weeks of the researchers' notifications, the number of exposed credentials fell by roughly 50%, indicating that some affected organizations remediated the issue. Historical analysis in the study also found that exposed credentials typically remain public for about 12 months and sometimes for years.
Mar 27, 2026
Researchers notify affected organizations of exposed credentials
After identifying the exposed secrets, the researchers notified affected organizations so they could revoke or remove the credentials. The findings showed many exposures were embedded in JavaScript resources, often in bundled files generated by build tools such as Webpack.
Mar 27, 2026
Study finds 1,748 valid API credentials exposed across 10,000 webpages
The researchers verified 1,748 valid exposed API credentials across more than 10,000 webpages, including keys for AWS, GitHub, Stripe, and OpenAI. The exposed credentials affected organizations such as multinational corporations, critical infrastructure entities, government agencies, and at least one global bank.
Mar 27, 2026
Researchers scan 10 million websites for exposed API secrets
Researchers from Stanford University, the University of California, Davis, and TU Delft conducted a large-scale analysis of roughly 10 million websites to identify exposed credentials on public webpages, focusing on leakage outside source code repositories.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Mass Exposure of Live Credentials in Public Docker Hub Images
Security researchers at Flare have discovered that over 10,000 public Docker Hub container images are leaking sensitive secrets, including live credentials for production systems, cloud services, CI/CD pipelines, and AI platforms. The exposed data affects more than 100 organizations, ranging from small businesses to a Fortune 500 company and a major national bank. Many of these secrets are not placeholders but active credentials, with nearly 4,000 API keys for large language models such as OpenAI, HuggingFace, Anthropic, Gemini, and Groq found in the wild. In some cases, a single image contained five or more exposed secrets, significantly increasing the risk of unauthorized access to critical infrastructure. The leaks are often the result of developers inadvertently including sensitive files and hard-coded keys in Docker images, which are then published to public repositories. A notable portion of the exposed secrets comes from "shadow IT" accounts—personal or team Docker Hub registries outside formal corporate oversight—making them difficult for organizations to monitor and secure. The majority of affected organizations are in the software development sector, but the exposure also impacts finance, banking, and AI companies. This incident highlights the urgent need for improved security hygiene and automated scanning in the container development lifecycle to prevent inadvertent credential leaks.
1 months ago
Mass Exposure of Credentials via Public Code Formatting Tools
Researchers from WatchTowr identified a significant security risk involving the public exposure of sensitive credentials and secrets through popular online code formatting tools, specifically JSONFormatter and CodeBeautify. These platforms, widely used by developers to format and share code, allow users to save their code snippets, which are then made accessible through a 'Recent Links' feature. Due to predictable URL structures and a lack of access controls, over 80,000 user pastes containing sensitive data—including Active Directory credentials, API keys, private keys, and configuration files—were found to be publicly accessible. The exposed data originated from organizations in critical sectors such as government, banking, healthcare, telecommunications, and cybersecurity. The WatchTowr team demonstrated the real-world risk by planting canary tokens in these services, which were quickly accessed and used by unknown parties, confirming that malicious actors are actively scraping these sources for credentials. The incident highlights the dangers of uploading sensitive information to third-party web services without proper security controls and underscores the need for organizations to educate staff about the risks of using public tools for handling confidential data. The findings have prompted calls for both improved platform security and greater user awareness to prevent similar exposures in the future.
1 months ago
ClickUp API Key Leak Exposed Enterprise Emails and Internal Feature Flags
ClickUp left a hardcoded third-party API key in a publicly accessible JavaScript file on its homepage, exposing **959 email addresses** and **3,165 internal feature flags** through unauthenticated requests. Reports said the issue was disclosed through HackerOne on January 17, 2025, yet the key allegedly remained active and unrotated into late April 2026. The exposed email addresses reportedly belonged to staff at major enterprises including Fortinet, Home Depot, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and Akin Gump, as well as government personnel in multiple U.S. states, Queensland, and New Zealand. Researchers said no credentials, bypass, or advanced tooling were needed to retrieve the data because the key was embedded in client-side code loaded before authentication. In addition to personal contact information, the leaked feature flags revealed internal product testing, beta features, A/B experiments, and possible roadmap details, creating risks that include targeted phishing, social engineering, credential-stuffing attempts, competitive intelligence collection, and potential platform abuse. ClickUp had not publicly acknowledged the exposure at the time of reporting.
1 weeks ago