‘API credentials are widely and publicly exposed on the web’: Experts… is attracting attention across the tech world. Analysts, enthusiasts, and industry observers are watching closely to see how this story develops.
This update adds another signal to a fast-moving sector where product decisions, platform changes, and competition can quickly shape the market.
JavaScript files remain the primary source of widespread credential exposure
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Get full access to premium articles, exclusive features and a growing list of member rewards.
Security researchers from Stanford University, UC Davis, and TU Delft say sensitive API credentials are sitting openly on thousands of public webpages, with very little protection.
as reported by a preprint version of the study on arXiv, the researchers analyzed 10 million webpages and identified 1,748 valid credentials exposed across nearly 10,000 pages.
These credentials cover cloud platforms, payment services, and developer tools used in production environments.
The issue cuts across both lesser-known sites and high-profile organizations, including cases tied to financial institutions and infrastructure-related services.
Nurullah Demir, a PhD candidate at Stanford, said, “What we found were highly sensitive API credentials left publicly exposed on public webpages,” describing a pattern that suggests weak controls rather than isolated mistakes.
These credentials function as access tokens that allow applications to interact directly with external platforms.
API credentials differ from standard login details because they enable automated and continuous access to services, often without additional verification layers.
Demir noted that such access can extend to databases, storage platforms, and key management infrastructure depending on the permissions attached to each key.
One example involved a major financial institution where cloud credentials were embedded in website code, creating direct exposure to internal services.
In another case, repository credentials linked to firmware advancement were found exposed, raising the possibility of unauthorized code changes and distribution of altered updates.
This expands the risk beyond data access into potential manipulation of software used in connected devices.
The researchers traced most exposures to client-side code, especially JavaScript files delivered to users’ browsers.
About 84% of the identified credentials appeared in JavaScript resources, with many originating from bundled files created by build tools such as Webpack.
These processes can unintentionally include sensitive data when configurations are not tightly controlled.
Other exposures were found in HTML and JSON files, while some appeared in less typical locations such as CSS.
The spread across multiple file types suggests that the problem is embedded in how web assets are prepared and deployed rather than tied to a single advancement stage.
The study also found that exposed credentials often remain accessible for long periods, ranging from several months to multiple years.
Developers were frequently unaware of the issue until contacted, indicating gaps in monitoring and review processes.
After disclosure efforts began, the number of exposed credentials dropped by roughly half within two weeks.
The researchers caution that their findings likely represent only a lower bound, as they verified credentials from a limited set of service providers.
That leaves open the possibility that far more credentials remain publicly accessible across the web without detection.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Efosa has been writing about tech innovation for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master’s and a PhD in sciences, which provided him with a solid foundation in analytical thinking.
Please logout and then login again, you will then be prompted to enter your display name.
Why This Matters
This development may influence user expectations, future product strategy, and the competitive balance inside the broader technology industry.
Companies in adjacent segments often react quickly to similar moves, which is why stories like this tend to matter beyond a single announcement.
Looking Ahead
The full impact will become clearer over time, but the story already highlights how quickly the modern tech landscape can evolve.
Observers will continue tracking the next steps and how they affect products, users, and the wider market.
