Thousands of websites, including those belonging to major banks and healthcare providers, have inadvertently leaked sensitive security credentials, potentially granting unauthorized access to critical systems. A new study reveals that RSA private keys and other API credentials remain publicly accessible for months, even years, posing a significant risk to digital infrastructure.
The Scope of the Problem
Researchers at Stanford University analyzed 10 million web pages and identified 1,748 active credentials from 14 major service providers – including Amazon Web Services, Stripe, GitHub, and OpenAI – scattered across nearly 10,000 websites. These credentials act as access tokens for cloud platforms, payment processors, and messaging services, allowing attackers to impersonate servers, decrypt communications, or seize administrative control.
The issue isn’t a direct fault of the service providers themselves but stems from poor security practices by software developers and website operators. The researchers identified affected entities including a “global systematically important financial institution,” a “firmware developer,” and a “major hosting platform.”
How Credentials Are Leaked
The majority (84%) of exposed credentials were found within JavaScript environments, likely due to how developers bundle code. Another 16% originated from poorly configured third-party resources, such as vulnerable plugins or scripts.
“None of these developers intended to be insecure; many of them didn’t even actually make a mistake in the first place. The API keys were instead made public because of programming quirks associated with how the language works and runs on the server.” – Katie Paxton-Fear, Manchester Metropolitan University.
This highlights a systemic vulnerability where even secure development practices can inadvertently lead to exposure due to underlying programming quirks.
Response and Mitigation
Researchers notified affected organizations, and roughly half removed the exposed keys within two weeks. However, some entities did not respond, leaving credentials publicly accessible for an average of 12 months – with some remaining online for up to five years.
Tackling the issue requires a multi-faceted approach: developers must configure environments carefully, tool creators must design software to hide secret keys by default, and hosting platforms should actively scan for and deactivate leaked credentials.
The widespread nature of this vulnerability underscores a critical flaw in modern software development. API keys, when misconfigured, can allow attackers to act as authorized users with catastrophic consequences. The problem is not just technical; it’s also about awareness and shared responsibility across the entire digital ecosystem.
