API credentials exposed on the web represent one of the most persistent yet preventable security failures in modern development. Researchers analyzing more than 10 million websites discovered at least 1,748 active credentials linked to major platforms including Amazon Web Services (AWS), Stripe, and OpenAI, all sitting in publicly accessible JavaScript files. These secrets have remained undetected for months to several years, creating a window for attackers to exploit cloud access, drain financial resources, or breach sensitive data.
Key Takeaways
- Researchers scanned over 10 million websites and found 1,748 active API credentials embedded in public JavaScript files
- Exposed secrets linked to AWS, Stripe, and OpenAI remained undetected for months to years without remediation
- Truffle Security identified nearly 12,000 valid live secrets in AI training datasets, expanding the exposure surface
- API credentials embedded in front-end code are viewable by anyone with basic technical knowledge, not hidden in backend systems
- Snyk reported 28.65 million hardcoded secrets added to public GitHub in 2025, showing the scale of the problem
How API Credentials Exposed End Up in Public View
The mechanism is embarrassingly simple. Developers hardcode API keys, authentication tokens, and database passwords directly into JavaScript files that ship with websites. When a browser requests a page, it downloads these files—credentials and all. Anyone inspecting the source code or using basic scraping tools can extract them within seconds. The researchers found API credentials exposed in front-end HTML and JavaScript on live websites, not buried in backend systems or protected databases. This is not a sophisticated attack; it is a visibility problem that affects thousands of sites simultaneously.
What makes this particularly dangerous is the duration of exposure. Some credentials remained active and undetected for several years, according to the research. A developer commits a key to the repository, it gets bundled into the production build, and nobody notices. Months pass. Attackers harvest the credential from public sources. By the time the organization discovers the breach, attackers have already accessed cloud infrastructure, pivoted to other systems, or extracted customer data. Even a single compromised key can lead to cascading risks across an entire cloud environment.
The Scale of API Credentials Exposed Across the Web
The primary study examined more than 10 million websites using data from the HTTP Archive and validated 1,748 credentials as active by testing them against the actual providers. That number alone is alarming, but it understates the broader problem. A related investigation by Truffle Security scanned Common Crawl’s December 2024 snapshot—2.67 billion web pages—and discovered nearly 12,000 valid live secrets, including API keys, passwords, and tokens for services like AWS, Mailchimp, Slack, and GitHub. The difference in scale reflects dataset size, but both studies confirm the same pattern: API credentials exposed is not a rare edge case but a widespread systemic failure.
The problem extends beyond direct web exposure. Snyk reported that 28.65 million hardcoded secrets were added to public GitHub repositories in 2025 alone. When developers push code with embedded credentials to GitHub, those secrets become part of the public Git history forever—even if deleted in a later commit. AI training datasets ingest this data at scale. Models and code suggestion tools may then recommend insecure patterns to new developers, perpetuating the cycle. SpyCloud’s research identified 18.1 million exposed API credentials captured from infostealer malware, showing that once credentials leak, they circulate through criminal marketplaces.
Why API Credentials Exposed Persist Despite Known Risks
The persistence of this problem is not due to ignorance—it is due to friction and culture. Developers know they should use environment variables, secrets managers, and CI/CD pipeline integrations to keep credentials out of code. But setting up a secrets manager takes time. Debugging with hardcoded keys is faster. Pushing a quick fix before a deadline feels safer than waiting for infrastructure changes. Organizations lack automated scanning in their build pipelines, so credentials slip through code review. The result: a massive gap between best practice and actual practice.
Another factor is discovery lag. Unlike a SQL injection vulnerability that shows up in a security scan, hardcoded credentials do not trigger traditional vulnerability scanners. The credential sits in a JavaScript file, visible to anyone, but the organization has no monitoring to detect when it is accessed or misused. By the time a researcher publishes a study or a security firm sends a notification, the exposure has been public for years. The attacker already has what they need.
Comparing Exposure Methods: Direct Web vs. Training Data
The primary study focuses on credentials embedded directly in public websites—what researchers call front-end exposure. A separate finding from Truffle Security highlights a different vector: API credentials exposed in AI training datasets. The Common Crawl snapshot used to train large language models and AI tools contains thousands of valid live secrets. When developers ask an AI assistant for code examples, the model might suggest patterns that include leaked credentials from its training data. This creates a feedback loop where insecure patterns become normalized and propagated at scale.
What Organizations Should Do Right Now
The immediate action is scanning. Run a secrets detection tool across all repositories, build artifacts, and deployed code. Tools like TruffleHog can identify exposed credentials in Git history and public sources. For existing deployments, audit JavaScript files served to browsers and rotate any credentials found. Implement pre-commit hooks that block commits containing API keys, passwords, or tokens. Use environment variables and secrets management platforms—not configuration files or hardcoded strings.
Longer term, shift left. Add secrets scanning to the CI/CD pipeline so credentials are caught before code reaches production. Educate developers on why this matters: a single leaked credential can compromise an entire AWS account or Stripe integration. Make secrets management as easy as importing an environment variable. Monitor for unauthorized access to cloud resources and set up alerts for unusual API activity. The cost of prevention is far lower than the cost of breach response, data recovery, and customer notification.
Are API credentials exposed a risk to my business?
If your organization has any web-facing code, JavaScript bundles, or public repositories, the answer is yes. Even one exposed credential can grant attackers access to your cloud infrastructure, payment systems, or databases. The research shows that thousands of organizations are currently exposed and do not know it. Scanning your own codebase should be a priority, not an afterthought.
How can I find exposed API credentials in my code?
Use automated secrets scanning tools that check Git history, current repositories, and built artifacts. Services like Snyk, TruffleHog, and similar platforms scan for patterns matching API keys, database passwords, and authentication tokens. Many integrate directly into GitHub, GitLab, and CI/CD pipelines. Start with your public repositories and then extend scanning to private code—attackers look everywhere.
What should I do if I find an exposed credential?
Rotate it immediately. Revoke the old credential in your API provider’s dashboard and generate a new one. Review access logs to check if the credential was used by unauthorized parties. If it was, investigate what data or systems were accessed. Update your code to use the new credential and deploy the fix. Only then should you consider the incident closed—and even then, monitor for suspicious activity for weeks afterward.
API credentials exposed on public websites is not a new problem, but the scale and persistence revealed by recent research should alarm every organization with web-facing code. Thousands of active credentials are sitting in plain sight right now, waiting to be harvested. The fix is straightforward: stop putting secrets in code, scan for existing exposures, and rotate anything found. The only surprising element is how long it has taken the industry to treat this as a priority.
Edited by the All Things Geek team.
Source: TechRadar
