Researchers Find Exposed API Credentials Online
Researchers from Stanford, UC Davis and TU Delft scanned roughly 10 million websites and found 1,748 valid API credentials across about 10,000 webpages, detailed in a preprint titled "Keys on Doormats." The study shows AWS keys accounted for over 16% of verified exposures, 84% of leaks were in JavaScript, and many credentials remained exposed for an average of 12 months.
Key Points
- 1Found 1,748 valid API credentials across roughly 10,000 webpages after scanning about 10 million sites
- 2Reveal access to AWS, GitHub, Stripe and OpenAI, enabling programmatic access to cloud and payment infrastructure
- 3Impacts: attackers could modify firmware or databases; practitioners must scan production sites beyond code repositories
Scoring Rationale
Large-scale empirical evidence drives score, but preprint format and limited service verification constrain broader generalizability.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
