Case Studies
5 real exposed API key disasters (and how to avoid being next)
Exposed API keys are the single most common security mistake in AI-generated code, and the consequences are rarely theoretical. These are five patterns of real incidents the security community has documented widely โ the names and exact amounts vary by report, but the mechanism is identical every time, and it's worth understanding precisely because it's so preventable.
1The committed Stripe key
A founder pushes a working payment integration to a public GitHub repo, with the live Stripe secret key sitting directly in the source file. Within hours โ sometimes minutes โ automated bots that continuously scan GitHub for key patterns find it. The key gets used to attempt fraudulent charges or query customer payment data before the founder even notices the commit.
2The five-figure AWS bill
An AWS access key, hardcoded for convenience while testing an S3 upload feature, ends up in a public repository. Crypto-mining bots โ which specifically hunt for AWS credentials โ pick it up and spin up dozens of high-powered compute instances under the account owner's billing. The first sign of trouble is often the invoice, not an error message.
3The drained OpenAI quota
A side project ships with an OpenAI API key embedded directly in client-side JavaScript โ visible to anyone who opens browser dev tools, no GitHub leak required. Within a day, the key is being used by unrelated traffic, and the monthly quota that was supposed to last a month is gone in hours.
4The open Supabase table
A Supabase project ships with the public anon key in the frontend โ which is normal and expected โ but without Row-Level Security enabled on the tables. Anyone with that public key, which is visible in the browser by design, can query every row in every table directly, because there's no database-level rule restricting access.
5The forgotten staging key
A key gets hardcoded "just for testing" in a staging branch, with every intention of removing it before the merge to production. The branch gets merged anyway, months later, by someone who didn't write that line and has no idea it's there. The key sits live in production code, undiscovered, until a routine audit โ or an attacker โ finds it.
The common thread
None of these required a sophisticated attacker. Every single one was found by automated scanning โ the same kind of scanning a security tool can run on your own code before you ship, instead of after someone else finds it for you.
3 free scans every month ยท Your code is never stored
Related reading: