Independent security researcher Bill Demirkapi has uncovered a significant amount of sensitive corporate data left exposed online. Since late 2021, Demirkapi has been developing methods to search overlooked data sources, leading to the discovery of thousands of security vulnerabilities. His findings include hard-coded developer secrets like passwords, API keys, and authentication tokens that could give cybercriminals access to company systems and sensitive data.
During his presentation at the Defcon security conference in Las Vegas, Demirkapi revealed the extent of these exposed secrets. Among the 15,000 developer secrets found were usernames and passwords linked to Nebraska’s Supreme Court IT systems, API keys for Stanford University’s Slack channels, and over a thousand API keys belonging to OpenAI customers.
Demirkapi’s research also identified 66,000 websites with subdomain issues, making them vulnerable to attacks like hijacking. Notably, he found weaknesses in a development domain owned by The New York Times, which allowed him to briefly publish a satirical article on their site.
Despite the challenges of alerting all affected websites, Demirkapi managed to revoke many of the 15,000 exposed secrets. While some companies, like OpenAI, provided tools to automatically deactivate compromised keys, others, such as Amazon Web Services and GitHub, were less cooperative, prompting Demirkapi to develop creative solutions for reporting and revoking exposed credentials.
Demirkapi’s approach highlights the potential of unconventional data sources in identifying widespread security issues and underscores the need for more innovative strategies in cybersecurity research.
