Security boffins scoured the web and found hundreds of valid API keys
Summary
Researchers scanned about 10 million live websites using TruffleHog and uncovered 1,748 valid API credentials exposed across roughly 10,000 pages. The preprint ‘Keys on Doormats: Exposed API Credentials on the Web’ (arXiv) details that keys granting access to services such as AWS, GitHub, Stripe and OpenAI were discovered, including credentials tied to a global systemically important bank and a firmware developer used by device manufacturers.
Most exposures (84%) were found in JavaScript resources — 62% of those in bundled JS from build tools like Webpack — with HTML and JSON making up most of the remainder. Some unusual cases included a verified GitHub token embedded in a CSS file. The team responsibly disclosed findings and saw exposed credentials halved within about two weeks, but historical data suggests many keys remain exposed for an average of 12 months. The authors validated credentials for 14 providers, so the true scale is likely larger.
Key Points
- Study scanned ~10 million websites with TruffleHog and verified 1,748 valid API credentials across ~10,000 pages.
- Exposed keys provided access to major services (AWS, GitHub, Stripe, OpenAI) and to high-risk targets, including a major global bank.
- 84% of exposures were in JavaScript files; 62% of JS exposures were in bundled code produced by build tools like Webpack.
- Credentials found could enable cloud infrastructure access, payment fraud, data exfiltration, or malicious firmware updates for devices.
- Responsible disclosure cut exposures by about half in two weeks, but many keys historically remain exposed for around 12 months.
- Researchers only validated 14 providers, so reported figures are a lower bound — the real problem is likely much larger.
Why should I read this?
Short version: if you or your team ship JS, you might be accidentally handing attackers the keys to the castle. This is a proper wake-up call — check your bundles, stop baking secrets into client-facing assets, rotate keys and lock down scopes pronto.
Context and relevance
The findings underline a persistent and systemic problem: secrets leaking outside repositories into production assets that are crawled by anyone (and anything) on the web. As organisations move more critical functions to cloud and API-driven services, exposed credentials escalate from nuisance to full-blown incident risk — enabling infrastructure takeover, payment fraud, supply-chain compromise and malicious firmware pushes.
For security teams and developers this ties into wider trends: the need for secret scanning in CI/CD, strict use of secrets managers and environment-only credentials, build-time hygiene to avoid bundling secrets, and least-privilege API scopes. Regulators and customers are increasingly intolerant of preventable exposures, so operational and governance changes will be necessary to reduce recurring risk.
Author style
Punchy: This isn’t just ‘interesting research’ — it’s a practical alarm bell. If your infra talks to cloud APIs, payments or firmware systems, read the paper and act. The drop after disclosures shows fixes are possible, but the longevity of exposures means many organisations are still asleep at the wheel.