Critical security credentials, including API keys, are mistakenly exposed on thousands of websites, putting organizations—ranging from small startups to large banks and healthcare providers—at significant risk.

These leaks could grant unauthorized users access to sensitive data, like RSA private keys, enabling attackers to impersonate servers, decrypt private communications, and potentially seize complete control over a company’s digital infrastructure. “This is a pressing issue impacting entities of all sizes,” states Nurula Demir from Stanford University, California.

Demir and colleagues conducted an analysis of 10 million web pages to identify the extent of exposed API credentials. API keys facilitate seamless communication between different software systems and serve as access tokens for cloud platforms, payment processing, and messaging services.

Through their web scans, the researchers validated 1,748 exposed credentials from 14 leading service providers, including Amazon Web Services, Stripe, GitHub, and OpenAI, found across approximately 10,000 compromised websites.

The accountability for these vulnerabilities lies not with the service providers, but with the developers and operators who misconfigured their websites. While the specific companies affected were not named, they reportedly include “global systemically important financial institutions,” firmware developers, and major hosting platforms.

“We have alerted all entities concerning identified exposures,” said DeMille. Approximately half of the organizations remedied their exposed API keys within two weeks; however, some did not respond.

On average, leaked credentials remain accessible for 12 months, with some lasting as long as five years. The majority (around 84%) of compromised credentials were located within the JavaScript environment, likely due to developers improperly using bundler tools for code packaging.

The remaining 16% originated from third-party resources, where misconfigured external plugins or scripts inadvertently exposed sensitive credentials online.

“None of these developers intended for their systems to be insecure,” explains Katie Paxton-Fear from Manchester Metropolitan University, UK. Issues arose due to programming intricacies, leading to accidental exposure. “They followed best practices, but vulnerabilities emerged during the development process,” she adds.

Leaking API keys is a “significant concern in modern software development,” notes Nick Nikiforakis from Stony Brook University, New York. “API keys replace user credentials, granting authorization without direct authentication. However, their misconfiguration can lead to serious security threats.”

DeMille emphasizes shared responsibility in addressing these vulnerabilities. “Developers must exercise caution in using API credentials,” he advises, alongside ensuring proper configuration of their development environments. He further suggests website-building tool creators should design systems to automatically hide private keys by default, rather than relying on developers to manage these protections manually, and that hosting companies should proactively monitor for exposed keys and disable them immediately.