APIs, keys leaked at scale
Researchers found nearly 10,000 websites inadvertently leaking security credentials and API keys — a fresh vector that can fuel automated fraud, identity abuse and supply‑chain attacks against insurers and vendors. The discovery spotlights why continuous credential monitoring and integrating cyber signals into onboarding and claims workflows are becoming table stakes. (newscientist.com)
The research performed a dynamic analysis of roughly 10 million web pages and extracted 1,748 distinct credentials spanning 14 third‑party service providers. (arxiv.org) Most exposures traced to JavaScript runtime artifacts—especially bundled front‑end files and third‑party resource inclusions—rather than secrets embedded in static site code. (arxiv.org) Archived snapshots in the study show exposed credentials persisted for timeframes ranging from about one month up to multiple years before being removed or invalidated. (arxiv.org) A manual follow‑up by the authors found high‑sensitivity items among the leaks, including RSA private keys, OAuth2 credentials, internal service URLs and development‑related email addresses. (arxiv.org) The paper’s authors are Nurullah Demir (Stanford), Yash Vekaria (UC Davis), Georgios Smaragdakis (TU Delft and Stanford) and Zakir Durumeric (Stanford), and the preprint was submitted to arXiv on 12 March 2026. (arxiv.org) The team reports that coordinated responsible‑disclosure outreach reduced the web‑exposed credential footprint and the paper concludes with concrete mitigation recommendations for developers, web operators and supply‑chain integrators. (arxiv.org)
