A simple coding mistake is exposing API keys across thousands of websites

After analyzing 10 million webpages, researchers have found thousands of websites accidentally exposing sensitive API credentials, including keys linked to major services like Amazon Web Services, Stripe, and OpenAI.

This is a serious issue because APIs act as the backbone of the apps we use today. They allow websites to connect to services like payments, cloud storage, and AI tools, but they rely on digital keys to stay secure. Once exposed, API keys can allow anyone to interact with those services with malicious intent.

Sensitive API keys exposed across thousands of sites

According to TechXplore, the researchers identified 1,748 unique API credentials across nearly 10,000 webpages, tied to 14 major service providers. These leaks were not limited to obscure sites, with some appearing on platforms run by global banks and major software developers.

Around 84% of these leaks came from JavaScript files, which are easily accessible through a browser. This means the credentials were effectively sitting in publicly visible code.

Even more concerning is how long these keys remained exposed. Some were visible for up to 12 months, while a few rare cases showed credentials staying public for several years without detection.

So, what’s causing these leaks?

The study makes it clear that the problem does not lie with service providers like Amazon, Stripe, or OpenAI. Instead, the issue stems from how developers handle API keys.

In many cases, developers accidentally include private API credentials in the front-end code of a website, leaving it visible to anyone who knows where to look.

How to stop API keys from being exposed?

To prevent future leaks, the researchers suggest a few practical steps. Developers should scan the live version of their websites, and not just private code, to catch exposed keys.

With the rise of vibecoding, companies need stricter rules for automated website-building tools that handle sensitive data during deployment. This is also why platforms like Lovable have started adding safe browsing tools to protect users from poorly vibecoded websites.

Meanwhile, service providers need to improve detection systems to flag exposed keys the moment they appear online. Although responsible disclosure helped reduce some of these leaks, the scale of the issue remains significant.

Recent reports have also shown how simply visiting a website can expose your device to serious risks, highlighting how fragile web security can be for everyday internet users.