Computer security boffins have conducted an analysis of 10 million websites and found almost 2,000 API credentials strewn across 10,000 webpages. The researchers detail their findings in a preprint paper titled "Keys on Doormats: Exposed API Credentials on the Web," and say they conducted the study because much of the attention on exposed credentials has focused on scouring code repositories and source code. They argue that dynamic analysis of production websites is essential to understand the scope of the problem. "What we found were highly sensitive API credentials left publicly exposed on public webpages," Nurullah Demir, a PhD candidate at Stanford and corresponding author, told The Register in an email. "These act as access tokens that authorize applications to interact with third-party services, granting direct access to critical infrastructure like cloud platforms and payment providers." Demir contends that API credentials are even more dangerous than exposed login details because they provide programmatic access to resources. The researchers scanned approximately 10 million websites using a tool called TruffleHog, and found 1,748 valid credentials belonging to organizations including multinational corporations, critical infrastructure entities, and government agencies. The keys provide access to services like AWS, GitHub, Stripe, and OpenAI. Demir said one of the affected organizations was a global bank. Another makes firmware for electronic devices. "A 'Global Systemically Important Financial Institution' exposed its cloud credentials directly on its webpages," said Demir. "This gave direct access to multiple core cloud infrastructure services, including databases and key management systems." The researchers also found repository credentials for a developer responsible for firmware used by various manufacturers of drones and remote-controlled devices. Attackers could use those credentials to modify source code and push malicious firmware updates to various ...
First seen: 2026-03-27 07:21
Last seen: 2026-03-29 13:53