$20M in Stripe Tokens Found in API Secret Sprawl

The research, conducted by API security platform Escape, involved scanning 189.5 million URLs across the 1 million most popular web domains. This method analyzed applications in real-world use, examining front-end code like JavaScript, not just code repositories. The scan uncovered over 18,000 API secrets, with 41% classified as highly critical, posing significant financial risks. The exposed credentials spanned a wide range of services, including hundreds of tokens for Stripe, GitHub, and GitLab, alongside RSA private keys, and keys for AWS, OpenAI, and cryptocurrency exchanges. This issue, termed "secret sprawl," is growing, with one report noting a 67% increase in secrets found on GitHub in 2023 alone. Hardcoding secrets directly into source code for convenience remains a primary cause of such leaks. For insurtech platforms, this type of vulnerability directly threatens agentic AI systems used in claims automation and underwriting. An exposed API key could allow unauthorized access to sensitive policyholder data, disrupt automated claims processing pipelines, or manipulate underwriting models. This compromises not only financial data but also the integrity of automated decision-making processes that rely on secure API integrations. The 2023 breach of a Microsoft Account Consumer Key serves as a stark example of the potential damage. In that incident, threat actor Storm-0558 used a single leaked key to forge access tokens and gain access to unclassified email data from multiple government agencies. This highlights how a single exposed secret can become a critical point of failure, enabling widespread unauthorized access. Mitigating this risk requires a multi-layered approach. Automated secret scanning tools like GitGuardian and TruffleHog can detect credentials in code repositories and CI/CD pipelines before they are deployed. Runtime enforcement, using API gateways and firewalls, provides a crucial second layer of defense by monitoring and controlling API traffic in real-time to block unauthorized requests, even if a key is exposed. Effective API security design incorporates the principle of least privilege, ensuring keys have minimal necessary permissions, and implements strict rate limiting and throttling to prevent abuse. For systems handling sensitive financial and personal data, robust authentication methods like OAuth 2.0 with short-lived tokens are critical, moving beyond static API keys which are more vulnerable. Regular rotation of all credentials is a foundational practice to limit the window of opportunity for attackers. For technical leaders on a Staff/Principal track, influencing teams to adopt a "security-first" API design mindset is paramount. This involves championing the use of centralized secret management systems like AWS Secrets Manager or HashiCorp Vault. It also means advocating for runtime security monitoring to gain visibility into how APIs are actually being used and to detect anomalies that could indicate a breach. Ultimately, secret sprawl is not just a technical problem but a systemic one, tied to the proliferation of non-human identities (NHIs) like service accounts and AI agents. As agentic systems become more complex in insurance and finance, managing the lifecycle of their credentials—from creation and rotation to revocation—becomes a core pillar of platform architecture and a critical responsibility for technical founders.