1. Forum
  2. tqwNet
  3. TQW GENTECH

  • 'API credentials are widely and publicly exposed on the web': Exp

    From TechnologyDaily@1337:1/100 to All on Wednesday, April 01, 2026 21:15:34
    'API credentials are widely and publicly exposed on the web': Experts scour
    10 million web pages and find a shocking amount of security info just lying around

    Date:
    Wed, 01 Apr 2026 20:10:00 +0000

    Description:
    Researchers examined millions of webpages and found thousands of exposed API credentials, revealing persistent security gaps across cloud services and development environments.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Become a Member in Seconds Unlock instant access to exclusive member features. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
    now subscribed Your newsletter sign-up was successful Join the club Get full access to premium articles, exclusive features and a growing list of member rewards. Explore An account already exists for this email address, please log in. Subscribe to our newsletter Thousands of exposed API keys quietly grant access to critical systems Public webpages contain credentials that unlock cloud and payment services Developers unknowingly leave sensitive API tokens embedded in live websites Security researchers from Stanford University, UC Davis, and TU Delft say sensitive API credentials are sitting openly on thousands of public webpages, with very little protection.

    According to a preprint version of the study on arXiv , the researchers analyzed 10 million webpages and identified 1,748 valid credentials exposed across nearly 10,000 pages. These credentials cover cloud platforms, payment services, and developer tools used in production environments. Article continues below You may like Shock report claims Android apps have leaked
    over 730TB of user data and Google secrets - here are some of the worst offenders around Huge data leak of 149 million credentials exposed without
    any protection 98GB of unique usernames and passwords from financial services, social media accounts and dating apps Over 29 million secrets were leaked on GitHub in 2025, and AI really isn't helping Widespread exposure across everyday websites The issue cuts across both lesser-known sites and high-profile organizations, including cases tied to financial institutions
    and infrastructure-related services.

    Nurullah Demir, a PhD candidate at Stanford, said, What we found were highly sensitive API credentials left publicly exposed on public webpages,
    describing a pattern that suggests weak controls rather than isolated mistakes.

    These credentials function as access tokens that allow applications to interact directly with external systems.

    API credentials differ from standard login details because they enable automated and continuous access to services, often without additional verification layers. Are you a pro? Subscribe to our newsletter Sign up to
    the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
    or sponsors By submitting your information you agree to the Terms &
    Conditions and Privacy Policy and are aged 16 or over.

    Demir noted that such access can extend to databases, storage systems, and
    key management infrastructure depending on the permissions attached to each key.

    One example involved a major financial institution where cloud credentials were embedded in website code, creating direct exposure to internal services.

    In another case, repository credentials linked to firmware development were found exposed, raising the possibility of unauthorized code changes and distribution of altered updates. What to read next 'The cloud threat
    landscape is rapidly shifting': Google research warns hackers are targeting third parties and software flaws to gain entry Malware control panels could give experts the tools they need to spy on hackers Around 500,000 WordPress websites could be at risk from crucial plugin security flaw

    This expands the risk beyond data access into potential manipulation of software used in connected devices.

    The researchers traced most exposures to client-side code, especially JavaScript files delivered to users browsers.

    About 84% of the identified credentials appeared in JavaScript resources,
    with many originating from bundled files created by build tools such as Webpack.

    These processes can unintentionally include sensitive data when
    configurations are not tightly controlled.

    Other exposures were found in HTML and JSON files, while some appeared in
    less typical locations such as CSS.

    The spread across multiple file types suggests that the problem is embedded
    in how web assets are prepared and deployed rather than tied to a single development stage.

    The study also found that exposed credentials often remain accessible for
    long periods, ranging from several months to multiple years.

    Developers were frequently unaware of the issue until contacted, indicating gaps in monitoring and review processes.

    After disclosure efforts began, the number of exposed credentials dropped by roughly half within two weeks.

    The researchers caution that their findings likely represent only a lower bound, as they verified credentials from a limited set of service providers.

    That leaves open the possibility that far more credentials remain publicly accessible across the web without detection. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/api-credentials-are-widely-and-publicly -exposed-on-the-web-experts-scour-10-million-web-pages-and-find-a-shocking-amo unt-of-security-info-just-lying-around


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)