'API credentials are widely and publicly exposed on the web': Experts scour 10 million web pages and find a shocking amount of security info just lying around

• Thousands of exposed API keys quietly grant access to critical systems
• Public webpages contain credentials that unlock cloud and payment services
• Developers unknowingly leave sensitive API tokens embedded in live websites

Security researchers from Stanford University, UC Davis, and TU Delft say sensitive API credentials are sitting openly on thousands of public webpages, with very little protection.

According to a preprint version of the study on arXiv, the researchers analyzed 10 million webpages and identified 1,748 valid credentials exposed across nearly 10,000 pages.

These credentials cover cloud platforms, payment services, and developer tools used in production environments.

Widespread exposure across everyday websites

The issue cuts across both lesser-known sites and high-profile organizations, including cases tied to financial institutions and infrastructure-related services.

Nurullah Demir, a PhD candidate at Stanford, said, “What we found were highly sensitive API credentials left publicly exposed on public webpages,” describing a pattern that suggests weak controls rather than isolated mistakes.

These credentials function as access tokens that allow applications to interact directly with external systems.

API credentials differ from standard login details because they enable automated and continuous access to services, often without additional verification layers.

Demir noted that such access can extend to databases, storage systems, and key management infrastructure depending on the permissions attached to each key.

One example involved a major financial institution where cloud credentials were embedded in website code, creating direct exposure to internal services.

In another case, repository credentials linked to firmware development were found exposed, raising the possibility of unauthorized code changes and distribution of altered updates.

This expands the risk beyond data access into potential manipulation of software used in connected devices.

The researchers traced most exposures to client-side code, especially JavaScript files delivered to users’ browsers.

About 84% of the identified credentials appeared in JavaScript resources, with many originating from bundled files created by build tools such as Webpack.

These processes can unintentionally include sensitive data when configurations are not tightly controlled.

Other exposures were found in HTML and JSON files, while some appeared in less typical locations such as CSS.

The spread across multiple file types suggests that the problem is embedded in how web assets are prepared and deployed rather than tied to a single development stage.

The study also found that exposed credentials often remain accessible for long periods, ranging from several months to multiple years.

Developers were frequently unaware of the issue until contacted, indicating gaps in monitoring and review processes.

After disclosure efforts began, the number of exposed credentials dropped by roughly half within two weeks.

The researchers caution that their findings likely represent only a lower bound, as they verified credentials from a limited set of service providers.

That leaves open the possibility that far more credentials remain publicly accessible across the web without detection.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.