Thousands of API Credentials Exposed Across 10,000 Websites, Researchers Warn
A recent analysis of 10 million websites has revealed nearly 2,000 exposed API credentials across 10,000 webpages, posing a significant security risk to organizations. Conducted by researchers from Stanford University, the University of California, Davis, and TU Delft, the study used the tool TruffleHog to scan for sensitive credentials embedded in public-facing web content.
The findings, detailed in a preprint paper, identified 1,748 valid credentials for major services, including AWS, GitHub, and Stripe. These credentials belonging to multinational corporations, critical infrastructure providers, and government agencies grant programmatic access to cloud platforms, payment systems, and firmware repositories. Among the most concerning discoveries was a global bank exposing cloud credentials on its website, potentially allowing access to core infrastructure. Another case involved firmware repository credentials for drones and remote-controlled devices, raising concerns about malicious updates.
The majority of exposed credentials were found in JavaScript files, with AWS credentials accounting for over 16% of verified exposures. Researchers emphasized that this overlooked attack vector credentials embedded in webpages rather than code repositories presents a direct threat to sensitive systems. The study underscores the need for organizations to monitor and secure publicly accessible web assets to prevent unauthorized access.
Source: https://www.scworld.com/brief/thousands-of-api-credentials-exposed-on-public-websites
AWS Partners cybersecurity rating report: https://www.rankiteo.com/company/aws-partners
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Stripe cybersecurity rating report: https://www.rankiteo.com/company/stripe
"id": "AWSGITSTR1775163155",
"linkid": "aws-partners, github, stripe",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global',
'name': 'Multinational corporations',
'type': 'Corporation'},
{'location': 'Global',
'name': 'Critical infrastructure providers',
'type': 'Infrastructure Provider'},
{'location': 'Global',
'name': 'Government agencies',
'type': 'Government'},
{'industry': 'Banking',
'location': 'Global',
'name': 'Global bank',
'type': 'Financial Institution'}],
'attack_vector': 'Exposed API credentials in public-facing web content',
'data_breach': {'file_types_exposed': ['JavaScript files'],
'number_of_records_exposed': '1,748 valid credentials',
'sensitivity_of_data': 'High (cloud platforms, payment '
'systems, firmware repositories)',
'type_of_data_compromised': 'API credentials'},
'description': 'A recent analysis of 10 million websites revealed nearly '
'2,000 exposed API credentials across 10,000 webpages, posing '
'a significant security risk to organizations. The study '
'identified 1,748 valid credentials for major services, '
'including AWS, GitHub, and Stripe, belonging to multinational '
'corporations, critical infrastructure providers, and '
'government agencies. These credentials grant programmatic '
'access to cloud platforms, payment systems, and firmware '
'repositories. The majority of exposed credentials were found '
'in JavaScript files, with AWS credentials accounting for over '
'16% of verified exposures.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposed credentials',
'data_compromised': 'API credentials for cloud platforms, payment '
'systems, and firmware repositories',
'operational_impact': 'Potential unauthorized access to core '
'infrastructure and sensitive systems',
'payment_information_risk': 'Potential risk to payment systems',
'systems_affected': 'Cloud platforms, payment systems, firmware '
'repositories, drones, remote-controlled '
'devices'},
'lessons_learned': 'Organizations need to monitor and secure publicly '
'accessible web assets to prevent unauthorized access due '
'to exposed credentials.',
'post_incident_analysis': {'corrective_actions': 'Implement credential '
'scanning tools, enforce '
'secure credential '
'management practices, and '
'conduct regular audits of '
'web assets',
'root_causes': 'Improper handling of sensitive '
'credentials in public-facing web '
'content, lack of monitoring for '
'exposed credentials'},
'recommendations': 'Implement tools like TruffleHog to scan for exposed '
'credentials, enforce strict credential handling policies, '
'and regularly audit public-facing web content.',
'references': [{'source': 'Preprint paper by researchers from Stanford '
'University, University of California, Davis, and '
'TU Delft'}],
'title': 'Thousands of API Credentials Exposed Across 10,000 Websites, '
'Researchers Warn',
'type': 'Data Exposure',
'vulnerability_exploited': 'Improper handling of sensitive credentials in web '
'assets'}