An application programming interface (API) key is a code used to identify and authenticate an application or user to another service–essentially to log one program or service into another. Much like passwords, these keys are supposed to be secret, secure credentials only known to clients and servers. They often have no expiration, so a stolen key can be used indefinitely unless it is regenerated or revoked.
Unfortunately, tens of thousands of API keys are publicly exposed online, leaving consumers at risk. That’s the reason why security researcher Silas Cutler started KeyDrop, a public-interest cybersecurity research initiative aimed at reducing API key abuse.
KeyDrop scans the internet for publicly exposed API keys and reports them–or attempts to report them–to service providers that issued those keys. This initiative could be better if more companies made it easier to submit these reports.
Essentially, companies are leaving their keys under the doormat on their front door. KeyDrop goes mat by mat, letting the person who issued these keys know they’re not good anymore so the provider can disable the keys and let the person using them know.
KeyDrop was inspired by GitHub’s Secret Scanning, a program that–when enabled–scans Github repositories for API keys, passwords, tokens and other secrets. It then alerts repository administrators of the exposed secrets and also notifies the provider who issued it so they can revoke the credential or take other appropriate action. That allows platforms to proactively suspend compromised API keys before they are misused. Secret Scanning is free for public repositories.
KeyDrop applies this scanning to the entire internet, not just specific repos. It reports exposed credentials to the appropriate provider.
A Ubiquitous Problem
Sometimes people don’t think of their API tokens as passwords, so they store them in cleartext in their own code stored on their own computer, and then end up transferring the project somewhere public-facing, where it becomes a risk.
Some people accidentally expose their API keys due to coding mistakes that are easy to make. For example, they may accidentally copy the entire contents of their code into a container and ship the container by using “COPY * /app” instead of “COPY *.HTML”, which only copies HTML files.
As of September 2025, KeyDrop had 4700 observations of openAI keys, which included 103 unique keys.
What Can Happen
If a person or organization has an exposed API token, it can allow bad actors to access their account services, so the API owner might be charged for services they’re not using. For example, an attacker might spin up cryptomining servers, racking up costs that the user may not know about until they receive a usage alert or a large bill.
Bad actors could also use critical services like payment processors to test stolen credit cards without it being traced back to them, contributing to widespread fraud. Or, they might access data hosting providers and steal private business data from enterprise cloud environments.
Reporting Process
KeyDrop has been working with Google, OpenAI, and Stripe to auto-scan and report exposed credentials to them, but other major API key issuers don’t make it as easy.
“If platforms made it easier for security researchers to automatically report exposed API tokens, they would probably get a lot more reports than we are currently giving them,” Cutler said.
That’s because the way KeyDrop finds exposed API tokens is not the only way to find them.
“For example, many security researchers monitor cybercriminal chats and forums where bad actors might share collections of stolen API keys that are sourced from things like data breaches and infostealer malware logs,” said Aurora Johnson, a security researcher who volunteers on the KeyDrop project.
KeyDrop is inviting large technology platforms to develop standardized mechanisms to accept reports of exposed credentials through third-party API endpoints.The ideal method would be a dedicated API endpoint to report the keys along with information for the company and user to validate them. Then the providers could decide the next appropriate steps. For example, if they’re being used in production environments, the provider might choose not to invalidate them right away.
KeyDrop is actively working with Google, OpenAI and Stripe, but Amazon, Microsoft, Gitlab and PayPal do not have API endpoints, but require researchers to send emails instead. This is not ideal because it’s an inefficient process for both the researchers and the companies themselves, who may have hundreds of emails to sort through–some of which may be spam or unactionable reports. Or they may have a portal, which requires registration but similarly does not scale.
OpenAI is ahead of the curve: the company not only has a process directing people to a Google form to submit the keys, it also accepts anonymous submissions which some researchers prefer.
“Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment,” an AWS spokesperson said. Researchers can report security concerns, including exposed customer credentials, to AWS at aws-security@amazon.com (PGP key).” The company says it helps customers secure their cloud resources through a shared responsibility model. Customers who suspect they’ve exposed their credentials can follow specific steps to secure their account, and can contact AWS Support with any questions or concerns about the security of their account.
Microsoft allows researchers to report exposed API tokens or vulnerabilities through the Microsoft Security Response Center (MSRC) portal.
PayPal and Gitlab did not respond to requests for comment.
For more information about KeyDrop, visit the website, keydrop.io.
At Consumer Reports, we’re inspired by public interest research projects like Keydrop that help make the internet safer for everyone. When security researchers can easily report security vulnerabilities, companies can act fast and consumers stay better protected. We’re continuing to champion for stronger digital protections for all. Learn more about our latest advocacy work. For digital security tips, check out Security Planner.
