‘API credentials are widely and publicly exposed on the web’: Experts scour 10 million web pages and find a shocking amount of security info just lying around
- Thousands of exposed API keys quietly grant access to critical systems
- Public webpages contain credentials that unlock cloud and payment services
- Developers unknowingly leave sensitive API tokens embedded in live websites
Security researchers from Stanford University, UC Davis, and TU Delft say sensitive API credentials are sitting openly on thousands of public webpages, with very little protection.
According to a preprint version of the study on arXiv, the researchers analyzed 10 million webpages and identified 1,748 valid credentials exposed across nearly 10,000 pages.
These credentials cover cloud platforms, payment services, and developer tools used in production environments.
Article continues below
Widespread exposure across everyday websites
The issue cuts across both lesser-known sites and high-profile organizations, including cases tied to financial institutions and infrastructure-related services.
Nurullah Demir, a PhD candidate at Stanford, said, “What we found were highly sensitive API credentials left publicly exposed on public webpages,” describing a pattern that suggests weak controls rather than isolated mistakes.
These credentials function as access tokens that allow applications to interact directly with external systems.
API credentials differ from standard login details because they enable automated and continuous access to services, often without additional verification layers.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Demir noted that such access can extend to databases, storage systems, and key management infrastructure depending on the permissions attached to each key.
One example involved a major financial institution where cloud credentials were embedded in website code, creating direct exposure to internal services.
In another case, repository credentials linked to firmware development were found exposed, raising the possibility of unauthorized code changes and distribution of altered updates.
This expands the risk beyond data access into potential manipulation of software used in connected devices.
The researchers traced most exposures to client-side code, especially JavaScript files delivered to users’ browsers.
About 84% of the identified credentials appeared in JavaScript resources, with many originating from bundled files created by build tools such as Webpack.
These processes can unintentionally include sensitive data when configurations are not tightly controlled.
Other exposures were found in HTML and JSON files, while some appeared in less typical locations such as CSS.
The spread across multiple file types suggests that the problem is embedded in how web assets are prepared and deployed rather than tied to a single development stage.
The study also found that exposed credentials often remain accessible for long periods, ranging from several months to multiple years.
Developers were frequently unaware of the issue until contacted, indicating gaps in monitoring and review processes.
After disclosure efforts began, the number of exposed credentials dropped by roughly half within two weeks.
The researchers caution that their findings likely represent only a lower bound, as they verified credentials from a limited set of service providers.
That leaves open the possibility that far more credentials remain publicly accessible across the web without detection.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Thousands of exposed API keys quietly grant access to critical systems Public webpages contain credentials that unlock cloud and payment services Developers unknowingly leave sensitive API tokens embedded in live websites Security researchers from Stanford University, UC Davis, and TU Delft say sensitive API credentials are sitting openly on thousands…
Recent Posts
- Birdfy’s solar-powered smart feeder is down to one of its best prices
- Are OLED TVs still worth the premium in 2026?
- The Clapper was a bad smart home gadget — and a viral sensation
- Which DJI camera should I buy? Here’s our essential guide to your options, including the results of our in-depth testing
- The future of physical games is not looking great
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023