Websites exposing over a million secrets, leaving visitors at risk

Thousands of websites are leaving their most sensitive keys in the doors, creating a perfect environment for thieves. The Cybernews research team has discovered 58,364 unique websites from around the globe that are vulnerable to data breaches and even complete takeovers. For visitors, it’s a security disaster.

On April 9th, the Cybernews research team started an investigation into publicly exposed environment files (.env).

These configuration files should be kept private and protected at all costs, as they hold passwords, API keys, and other secrets that websites need to access databases, mail servers, payment processors, content management systems, and various other services.

Yet, a scan of publicly available indexes reveals thousands of website owners leaving their most precious keys unprotected. Not only are these websites vulnerable to unauthorized access and data breaches, but visitors are also exposed to many dangers.

Key takeaways

  • An analysis by the Cybernews research discovered a million publicly exposed secrets from over 58 thousand websites’ exposed environment (.env) files.
  • Most of the affected websites come from the United States.
  • In half of the cases, the exposed secrets allow direct database access for unauthorized actors.
  • Exposed secrets include payment processor API keys, email credentials, cloud access keys, application keys, and OAuth secrets. GCP keys, Firebase endpoints, and secrets, Azure secrets, Google Cloud and other cloud provider credentials were also present.

What did we find?

The analysis of the most up-to-date indexes of environment files resulted in a dataset of 1,141,004 secrets cumulatively exposed from 58,364 unique websites.

“These are valid and publicly accessible secrets at the time of the investigation. The sheer number of them shed light on what types of website functionality are the most likely to be compromised by malicious actors,” our researchers explained.

The most commonly exposed secret was database credentials, which were present in the .envs of over 27 thousand websites. In such cases, only 12% of the databases were hosted remotely, likely allowing for easy credential exploitation.

“Databases often store a lot of sensitive information such as users' private information or admin account information. Database credentials being leaked can expose the website’s users’ names, addresses, passwords, orders, actions, etc. Databases can also contain more website infrastructure and admin credentials that could be used for lateral movement or in further attacks,” Cybernews researchers noted.

The second most frequent secret type being leaked is application keys, which are usually used to encrypt and decrypt cookies and other sensitive information. App keys could theoretically be used for session hijacking, data theft, and other attacks.

Email credentials were present in over 10,000 websites.

“Exposed email credentials can be used by malicious actors for account takeover to send phishing emails from official email addresses, making them appear more legitimate. That could lead to many scams and frauds. Threat actors can also attempt to access other accounts.”

Three and a half thousand websites had their Mautic Credentials exposed. This open-source marketing automation software is used for marketing campaigns, lead generation, email marketing, and other purposes. Mautic Credentials can expose website usage activity, contact information, and order information.

AWS Keys can allow malicious actors access to the website’s AWS Cloud Storage, which could be used to store files like unencrypted database backups, receipts, KYC documents, and videos.

Over 1200 AWS keys could also be exploited to access AWS Cloud Storage and snoop on company documents such as receipts, KYC forms, or others.

Leaking 800 Google OAuth Client secrets and 500 Facebook OAuth Client secrets poses risks for gaining unauthorized access to user accounts.


The most sensitive credentials were less frequent.

“We found that over 100,000 (or 10%) of the leaked secrets were high-risk credentials. They could potentially be used to take over the website or be used to craft high-impact lateral attacks. High-risk credentials include database passwords, AWS keys, email passwords, Payment processor credentials, and authentication systems such as Google and Facebook SSO,” our researchers said.

The research team found a few hundred API keys used to access payment processors, including 140 valid Stripe API keys, over 100 PayPal API keys, and over 200 Razorpay (Indian Payment Processor) secrets. Also, dozens of websites leaked Zoom API keys, and there were a handful of SSH passwords, endpoints, usernames, private keys, and Zoho CRM secret keys.

“This is worrying as payment processor credentials may expose payment information or allow unauthorized withdrawals,” the team warned.

The US is the most affected

Most of the affected websites, or 17,990, were hosted in the United States. However, secrets were leaking on websites from all over the world.

Cybernews researchers discovered 7091 misconfigured websites from Germany, 3290 from India, and 2916 from France. Other countries with over 1,000 leaking websites were Singapore, China, the United Kingdom, the Russian Federation, Japan, and the Netherlands.


“It’s estimated that there are around 1 billion websites on the internet, of which only 200 million are active. This could suggest that we’re exploring only a small fraction of a percentage, or 0.0002%, of the total web. However, this is only the information gathered from public indexing services without connecting to any vulnerable servers in any way.”

Previous research from the Cybernews team demonstrated that even some of the most popular websites sometimes leave their .envs exposed. Among them are some of the top universities worldwide.

“For visitors, such websites are a minefield for privacy and security. Each action they make while using the website can turn into a plethora of potential dangers, such as losing your data, identity theft, spearphishing, and financial loss. It can easily spiral out of control,” researchers said.

The mistakes website owners make

While the rule of thumb is to never store or expose plaintext secrets, researchers agree that sometimes it is not that simple, or they wouldn’t be able to find any exposed secrets.

“The .env file name starts with a dot. Therefore, it’s automatically hidden on MacOS and Linux and not shown to the developer while they’re developing the web application unless they enable ‘show hidden files.’ That alone may lead to developers uploading sensitive files when they don’t intend to, for example, when they upload the whole folder. That also makes it easier to miss something when setting file access permissions,” researchers explained.

There are many reasons why .env files are left exposed, ranging from version control mishaps, misconfigured web servers, inadequate access controls, deployment errors, and human error or negligence.

The research team also found that most of the databases with leaking credentials were hosted on the same server as the website. Attackers would not need to venture far to access it.

“We also found thousands of cases where the databases were hosted on remote servers, but the leaked credentials could immediately be used by malicious actors. Without any IP whitelisting, anyone who finds the correct credentials can log into the database and read private customer and company information,” the research team concluded.

They recommend using secure and encrypted storage solutions and proper access controls for both .env files and databases.

More from Cybernews:

Musk's x.AI is looking for talent – here's how much he’s willing to pay

The Onion satirizes the ScarJo and OpenAI drama, and it’s hilarious

Ex-OpenAI board members speak up: Altman’s reinstatement “bodes ill for the OpenAI experiment in self-governance”

It’s curtains after 28 years for veteran messenger ICQ

Musk's AI startup xAI nets $6 billion

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked