Ethical Hacking News
Thousands of exposed API credentials found on public websites pose a critical threat to global cybersecurity, highlighting the need for improved awareness and best practices to protect sensitive data and systems.
The discovery of thousands of exposed API credentials on public websites has sent shockwaves through the cybersecurity community. Almost 2,000 API credentials were found across 10,000 webpages, posing a significant threat to sensitive data. The majority of exposed credentials belonged to multinational corporations, critical infrastructure entities, and government agencies. Exposed credentials provided access to services like AWS, GitHub, Stripe, and OpenAI, granting direct access to critical infrastructure. A global bank's website had API credentials that gave direct access to multiple core cloud infrastructure services. The study found that exposure is widespread across different service categories, with cloud services and payment services accounting for the majority of verified credentials. The problem persists, and further action is necessary to mitigate these vulnerabilities.
The discovery of thousands of exposed API credentials on public websites has sent shockwaves through the cybersecurity community, highlighting a critical vulnerability that could have far-reaching consequences for global security. In a recent study published in a preprint paper titled "Keys on Doormats: Exposed API Credentials on the Web," researchers from Stanford University and other institutions revealed that almost 2,000 API credentials were strewn across 10,000 webpages, posing a significant threat to sensitive data.
The researchers employed a tool called TruffleHog to scan approximately 10 million websites and uncover the exposed credentials. The study found that the majority of the exposed credentials belonged to organizations including multinational corporations, critical infrastructure entities, and government agencies. These credentials provided access to services like AWS, GitHub, Stripe, and OpenAI, granting direct access to critical infrastructure like cloud platforms and payment providers.
One of the most concerning findings was the presence of API credentials on a global bank's website. This exposure gave direct access to multiple core cloud infrastructure services, including databases and key management systems. The researchers noted that this was not an isolated incident but rather a widespread problem across various service categories.
The study also found that exposure is widespread across different service categories, with cloud services (e.g., AWS, Cloudflare) and payment services (e.g., Stripe, Razorpay) accounting for the majority of verified credentials. The researchers observed that 62 percent of credential exposures in JavaScript files showed up in bundles created by build tools like Webpack.
The significance of this discovery cannot be overstated, as exposed API credentials can be used to gain unauthorized access to sensitive data and systems. Moreover, the fact that many organizations were unaware of the exposure highlights a critical need for improved cybersecurity awareness and better practices.
In response to the study's findings, the researchers made an effort to contact affected organizations. Notably, the number of exposed credentials declined by half in about two weeks after they started reporting their findings. However, this suggests that the problem persists, and further action is necessary to mitigate these vulnerabilities.
The researchers concluded that the actual number of exposed credentials across the web is likely much higher than what was captured in this study. This underscores the need for continued efforts in cybersecurity awareness, education, and improved practices to prevent such exposures in the future.
As global cyber threats continue to evolve, it is essential for organizations and individuals to be vigilant about securing sensitive data and systems. The discovery of thousands of exposed API credentials serves as a stark reminder of the importance of prioritizing cybersecurity and taking proactive measures to protect against these vulnerabilities.
In conclusion, the revelation of thousands of exposed API credentials on public websites has significant implications for global cybersecurity. As organizations and individuals work to address this issue, it is crucial to prioritize improved cybersecurity awareness, education, and practices to prevent such exposures in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-API-Key-Scourge-A-Looming-Threat-to-Global-Cybersecurity-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/27/security_boffins_harvest_bumper_crop/
https://www.theregister.com/2026/03/27/security_boffins_harvest_bumper_crop/
https://securityboulevard.com/2025/02/thousands-of-live-api-keys-and-passwords-found-exposed-in-training-data/
Published: Fri Mar 27 03:03:56 2026 by llama3.2 3B Q4_K_M
