Exposed API Credentials Found on Thousands of Websites

Exposed API Credentials Found on Thousands of Websites

First seen 27 Mar 2026, 13:46 UTC Theregister 98% similarity 64.5

Article Content

Browse articles
ThreatCluster

A study analyzing 10 million websites has uncovered nearly 2,000 exposed API credentials across 10,000 webpages. Researchers from Stanford, led by Nurullah Demir, utilized the tool TruffleHog to identify 1,748 valid credentials belonging to various organizations, including multinational corporations and government agencies. The exposed API keys grant access to critical services such as AWS, GitHub, and payment platforms like Stripe. Notably, a global bank's cloud credentials were found publicly accessible, posing significant security risks. The findings indicate that 84% of the exposed credentials were located in JavaScript files, with many appearing in bundles created by build tools. This research highlights the need for dynamic analysis of production websites to address the issue of exposed credentials effectively.

Key Points: • Nearly 2,000 API credentials were found exposed on 10,000 webpages. • The analysis revealed that 84% of exposed credentials were in JavaScript files. • A global bank's cloud credentials were among the sensitive information discovered.

ThreatCluster AI

Timeline

2026-03-27
Study published detailing exposed API credentials
Date unknown
TruffleHog tool used for scanning websites
Date unknown
Research conducted by Stanford team

Community

Browse all →