← Back to Blog
Security2026-03-2814 min read

How Hackers Find Exposed API Keys (Real Techniques)

Understanding how attackers find exposed API keys is the first step to protecting yours. This is not theoretical. These are the exact techniques used in real attacks, documented from incident response investigations and security research. Knowing the playbook helps you close the gaps before someone else exploits them.

Technique 1: GitHub Search Operators

GitHub is the single largest source of leaked credentials on the internet. Attackers use advanced search operators to find secrets committed to public repositories. The searches are simple, fast, and devastatingly effective.

Common search queries attackers use:

# Find AWS keys
"AKIA" language:python
"AKIA" language:shell
"aws_secret_access_key" filename:.env

# Find Stripe keys
"sk_live_" language:javascript
"sk_live_" language:ruby

# Find database credentials
"mongodb+srv://" password
"postgres://" password
"mysql://" password

# Find API keys by service
"sendgrid" "api_key"
"twilio" "auth_token"
"slack" "xoxb-"

Automated tools like Shhgit and gitrob continuously monitor GitHub's public event stream, scanning every new commit in real time. Research from North Carolina State University found that secrets are discovered by bots within one to five minutes of being pushed. Some honeypot studies have observed exploitation within 30 seconds.

Technique 2: Google Dorking

Google indexes far more than most people realize. Configuration files, environment files, and even database dumps end up in Google's index through misconfigured web servers, public Trello boards, and paste sites.

# Find exposed .env files
intitle:"index of" ".env"
filetype:env DB_PASSWORD
filetype:env AWS_SECRET

# Find exposed config files
intitle:"index of" "wp-config.php.bak"
filetype:yml "api_key"
filetype:json "client_secret"

# Find keys on paste sites
site:pastebin.com "aws_secret_access_key"
site:gist.github.com "sk_live_"

# Find exposed phpinfo
intitle:"phpinfo()" "mysql" "password"

Technique 3: Scanning JavaScript Files

Frontend JavaScript files are a goldmine for attackers. Developers frequently embed API keys directly in client-side code, assuming obfuscation or minification provides protection. It does not.

Attackers use tools like LinkFinder, JSParser, and custom scripts to extract URLs and secrets from JavaScript bundles. They look for:

  • Google Maps API keys (used for billing fraud)
  • Firebase configuration (database access)
  • Stripe publishable keys (not directly dangerous but reveals account info)
  • Internal API endpoints with hardcoded tokens
  • AWS Cognito pool IDs and app client IDs
# Using LinkFinder to extract endpoints from JS
python3 linkfinder.py -i https://target.com/bundle.js -o cli

# Simple grep for common patterns
curl -s https://target.com/main.js | grep -oE 'AIza[0-9A-Za-z\-_]{35}'
curl -s https://target.com/main.js | grep -oE 'AKIA[0-9A-Z]{16}'

Technique 4: .env File Crawling

Attackers routinely check for exposed .env files on web servers. A surprising number of web applications leave these files accessible. Automated scanners probe thousands of domains per hour:

# Common paths attackers check
/.env
/.env.production
/.env.local
/.env.backup
/api/.env
/app/.env
/config/.env

A 2024 study by Cybernews found over 2.6 million .env files exposed on the public internet. Each potentially contains database credentials, API keys, encryption secrets, and email service credentials. Read our detailed guide on the danger of exposed .env files.

Are Your .env Files Exposed?

SecureBin Exposure Checker tests for exposed .env files, git directories, backup files, and 16 other security checks. Find out in seconds.

Scan Your Domain Free

Technique 5: Shodan and Censys Scanning

Shodan and Censys are search engines for internet-connected devices. Attackers use them to find exposed databases, admin panels, and misconfigured services that may contain or accept API keys:

  • MongoDB instances without authentication (port 27017)
  • Redis servers with no password (port 6379)
  • Elasticsearch clusters with open access (port 9200)
  • Docker APIs exposed to the internet (port 2375)
  • Kubernetes dashboards without authentication

Technique 6: Mobile App Reverse Engineering

Mobile apps are compiled, not encrypted. Attackers decompile APK files (Android) and IPA files (iOS) to extract hardcoded API keys, backend URLs, and authentication tokens. Tools like apktool, jadx, and Hopper make this trivial. Any API key embedded in a mobile app should be considered public knowledge.

Technique 7: CI/CD Log Mining

Build logs from CI/CD systems sometimes contain secrets that were printed during build or deploy steps. If your CI/CD dashboard is publicly accessible or if logs are stored in an accessible location, attackers can extract credentials from them. Always mask secrets in CI/CD output and restrict access to build logs.

What Attackers Do After Finding a Key

  1. Validate the key by making a minimal API call to confirm it works
  2. Determine permissions by testing different API endpoints and operations
  3. Escalate access by using the key to find additional credentials (e.g., using an AWS key to read Secrets Manager)
  4. Exfiltrate data from databases and storage systems
  5. Establish persistence by creating new credentials or backdoors
  6. Monetize through cryptocurrency mining (AWS), selling data, or ransomware

Frequently Asked Questions

How fast are exposed keys discovered by attackers?

Academic research and honeypot studies consistently show that secrets pushed to public GitHub repositories are discovered within one to five minutes. Automated bots monitor GitHub's public event stream in real time, parsing every commit for patterns matching known secret formats. Some researchers have observed initial scanning within 30 seconds of a push. This means that even if you immediately realize your mistake and delete the commit, the key has likely already been captured.

Are private GitHub repositories safe for storing secrets?

No. Private repositories are less exposed than public ones, but they are not safe for storing secrets. Anyone with repository access (employees, contractors, CI/CD service accounts) can read the secrets. If a private repository is accidentally made public even momentarily, all secrets in its entire git history are exposed. Additionally, repository forks may carry secrets to unexpected locations. Always use a dedicated secrets manager instead of storing credentials in any repository. See our guide on securing environment variables.

Can obfuscating or minifying JavaScript protect API keys?

No. Minification and obfuscation make code harder for humans to read but provide zero security against automated extraction. Simple regex patterns can extract API keys from any JavaScript file regardless of obfuscation. Source maps, if published, make the job even easier. Never embed sensitive API keys in client-side code. Use a backend proxy that adds the key server-side, or use OAuth tokens with proper scoping.

Think Like an Attacker, Scan Like a Defender

Run the same checks attackers run on your domain. SecureBin Exposure Checker tests for exposed files, headers, SSL, DNS, and more. Free, instant results.

Scan Your Domain Free

The Bottom Line

Attackers have sophisticated, automated tooling for finding exposed API keys. The techniques described here are not advanced hacking. They are simple searches that anyone can perform. The defense is equally straightforward: never commit secrets to repositories, never embed them in client-side code, use pre-commit hooks to catch mistakes, and regularly scan your infrastructure with tools like the SecureBin Exposure Checker. Know the attack surface and close it before someone else maps it.

Related reading: How to Check if API Key is Exposed, Detect Secrets in GitHub Repos, Exposed .env Files Danger, Exposed API Key Case Study.