After analyzing 10 million web pages, researchers found thousands of websites that inadvertently exposed sensitive API credentials, including keys associated with key services such as Amazon Web Services, Stripe and OpenAI.
This is a serious problem because APIs act as the backbone of the apps we use today. They allow websites to connect to services such as payments, cloud storage and AI tools, but rely on digital keys to ensure security. Once disclosed, API keys can allow anyone to maliciously interact with these services.
Sensitive API keys are exposed on thousands of websites
According to TechXplore, researchers identified 1,748 unique API credentials across nearly 10,000 websites linked to 14 major service providers. These leaks were not only limited to obscure websites, but some also appeared on platforms operated by global banks and major software developers.
About 84% of these leaks came from JavaScript files that are easily accessible via a browser. This means that the credentials were actually in the publicly visible code.
What’s even more concerning is how long these keys remained open. Some were visible for up to 12 months, while in some rare cases the ID cards remained public for several years without being detected.
So what is causing these leaks?
The study makes it clear that the problem does not lie with service providers such as Amazon, Stripe or OpenAI. Instead, the problem lies in how developers handle API keys.
In many cases, developers accidentally include private API credentials in a website’s front-end code, leaving them visible to anyone who knows where to look.
How to prevent API keys from being exposed?
To prevent future leaks, the researchers suggest some practical steps. Developers should scan the live version of their websites, not just private code, to detect exposed keys.
With the advent of vibecoding, companies need stricter rules for automated website building tools that handle sensitive data during deployment. This is why platforms like Lovable have also started adding safe browsing tools to protect users from poorly vibecoded websites.
In the meantime, service providers need to improve their detection systems to flag exposed keys as soon as they appear online. Although responsible disclosure has helped reduce some of these leaks, the scale of the problem remains significant.
Recent reports have also shown that simply visiting a website can expose your device to serious risks, highlighting how fragile web security can be for everyday internet users.
