#APIKeys

CySecurity News

@cysecuritynews.bsky.social

2 days ago

Google API Keys Expose Gemini AI Data via Leaked Credentials  Google API keys, once considered harmless when embedded in public websites for services like Maps or YouTube, have turned into a serious security risk following the integration of Google's Gemini AI assistant. Security researchers at Truffle Security uncovered this issue, revealing that nearly 3,000 live API keys—prefixed with "AIza"—are exposed in client-side JavaScript code across popular sites. Truffle Security's scan of the November 2025 Common Crawl dataset, which captures snapshots of major websites, identified 2,863 active keys from diverse sectors including finance, security firms, and even Google's own infrastructure. These keys, deployed sometimes years ago (one traced back to February 2023), were originally safe as mere billing identifiers but gained unauthorized access to Gemini endpoints without developers' knowledge.Attackers can simply copy a key from page source, authenticate to Gemini, and extract sensitive data like uploaded files, cached contexts, or datasets via simple prompts. The danger extends beyond data theft to massive financial abuse, as Gemini API calls consume tokens that rack up charges—potentially thousands of dollars daily per compromised account, depending on the model and context window. Truffle Security demonstrated this by querying the /models endpoint with exposed keys, confirming access to private Gemini features. One reported case highlighted an $82,314 bill from a stolen key, underscoring the real-world impact. Google acknowledged the flaw as "single-service privilege escalation" after Truffle's disclosure on November 21, 2025, and implemented fixes by January 2026, including blocking leaked keys from Gemini access, defaulting new AI Studio keys to Gemini-only scope, and sending proactive leak notifications. Despite these measures, the "retroactive privilege expansion" caught many off-guard, as enabling Gemini in projects silently empowered old keys. Developers must immediately audit Google Cloud projects for Gemini API enablement, rotate all exposed keys, and restrict scopes to essentials—avoiding the default "unrestricted" setting. Tools like TruffleHog can scan code repositories for leaks, while regular monitoring prevents future exposures in an era where AI services amplify API risks. This incident highlights the need for vigilance as cloud features evolve.

Google API Keys Expose Gemini AI Data via Leaked Credentials #APIKeys #DataBreach #DataLeak

Approov Mobile Security

@approov.bsky.social

5 days ago

Previously harmless Google API keys now expose Gemini AI data Google API keys for services like Maps embedded in accessible client-side code could be used to authenticate to the Gemini AI assistant and access private data.

Previously harmless Google API keys now expose Gemini AI data

www.bleepingcomputer.com/news/securit...

#apikeys #aisecurity #google #geminiai #dataprotection

The Daily Tech Feed

@thedailytechfeed.com

1 week ago

A stolen Google Cloud API key led a Mexican dev team to face $82K in unauthorized charges in just 48 hours. Learn how to protect your credentials and avoid such financial disasters. #CyberSecurity #APIKeys #GoogleCloud Link: thedailytechfeed.com/stolen-gemin...

JAG

@jag0911.bsky.social

1 week ago

Googles ungeschützte API-Keys wegen Gemini-KI ein Sicherheits- und Kostenrisiko Sicherheitsforscher haben fast 3000 öffentlich sichtbare API-Keys von Google gefunden, die Gemini autorisieren. Das ermöglicht missbräuchlichen Zugriff.

#Google ’s ungeschützte #APIKeys wegen #Gemini - #KI ein Kosten- und #Siherheitsrisiko #AI
heise.de/-11199646

PPC Land

@ppc.land

1 week ago

Google API keys hiding in plain sight now unlock Gemini AI Google API keys embedded in public code now expose Gemini AI access and billing risk after researchers found 2,800 live keys in a November 2025 crawl. Here's what changed and why it matters.

FYI: Google API keys hiding in plain sight now unlock Gemini AI #GoogleAPI #GeminiAI #Cybersecurity #DataPrivacy #APIKeys

Marketing News

@marketingnews.bsky.social

1 week ago

Google API keys hiding in plain sight now unlock Gemini AI Google API keys embedded in public code now expose Gemini AI access and billing risk after researchers found 2,800 live keys in a November 2025 crawl. Here's what changed and why it matters.

FYI: Google API keys hiding in plain sight now unlock Gemini AI #GoogleAPI #GeminiAI #Cybersecurity #DataPrivacy #APIKeys

The Daily Tech Feed

@thedailytechfeed.com

1 week ago

Thousands of Google Cloud API keys exposed, granting unauthorized access to Gemini endpoints. Users urged to review and rotate keys to prevent potential data breaches. #CyberSecurity #GoogleCloud #APIKeys Link: thedailytechfeed.com/thousands-of...

CySecurity News

@cysecuritynews.bsky.social

1 week ago

Publicly Exposed Google Cloud API Keys Gain Unintended Access to Gemini Services   A recent security analysis has revealed that thousands of Google Cloud API keys available on the public internet could be misused to interact with Google’s Gemini artificial intelligence platform, creating both data exposure and financial risks. Google Cloud API keys, often recognizable by the prefix “AIza,” are typically used to connect websites and applications to Google services and to track usage for billing. They are not meant to function as high-level authentication credentials. However, researchers from Truffle Security discovered that these keys can be leveraged to access Gemini-related endpoints once the Generative Language API is enabled within a Google Cloud project. During their investigation, the firm identified nearly 3,000 active API keys embedded directly in publicly accessible client-side code, including JavaScript used to power website features such as maps and other Google integrations. According to security researcher Joe Leon, possession of a valid key may allow an attacker to retrieve stored files, read cached content, and generate large volumes of AI-driven requests that would be billed to the project owner. He further noted that these keys can now authenticate to Gemini services, even though they were not originally designed for that purpose. The root of the problem lies in how permissions are applied when the Gemini API is activated. If a project owner enables the Generative Language API, all existing API keys tied to that project may automatically inherit access to Gemini endpoints. This includes keys that were previously embedded in publicly visible website code. Critically, there is no automatic alert notifying users that older keys have gained expanded capabilities. As a result, attackers who routinely scan websites for exposed credentials could capture these keys and use them to access endpoints such as file storage or cached content interfaces. They could also submit repeated Gemini API requests, potentially generating substantial usage charges for victims through quota abuse. The researchers also observed that when developers create a new API key within Google Cloud, the default configuration is set to “Unrestricted.” This means the key can interact with every enabled API within the same project, including Gemini, unless specific limitations are manually applied. In total, Truffle Security reported identifying 2,863 active keys accessible online, including one associated with a Google-related website. Separately, Quokka published findings from a large-scale scan of 250,000 Android applications, uncovering more than 35,000 unique Google API keys embedded in mobile software. The company warned that beyond financial abuse through automated AI requests, organizations must consider broader implications. AI-enabled endpoints can interact with prompts, generated outputs, and integrated cloud services in ways that amplify the consequences of a compromised key. Even in cases where direct customer records are not exposed, the combination of AI inference access, consumption of service quotas, and potential connectivity to other Google Cloud resources creates a substantially different risk profile than developers may have anticipated when treating API keys as simple billing identifiers. Although the behavior was initially described as functioning as designed, Google later confirmed it had collaborated with researchers to mitigate the issue. A company spokesperson stated that measures have been implemented to detect and block leaked API keys attempting to access Gemini services. There is currently no confirmed evidence that the weakness has been exploited at scale. However, a recent online post described an incident in which a reportedly stolen API key generated over $82,000 in charges within a two-day period, compared to the account’s typical monthly expenditure of approximately $180. The situation remains under review, and further updates are expected if additional details surface. Security experts recommend that Google Cloud users audit their projects to determine whether AI-related APIs are enabled. If such services are active and associated API keys are publicly accessible through website code or open repositories, those keys should be rotated immediately. Researchers advise prioritizing older keys, as they are more likely to have been deployed publicly under earlier guidance suggesting limited risk. Industry analysts emphasize that API security must be continuous. Changes in how APIs operate or what data they can access may not constitute traditional software vulnerabilities, yet they can materially increase exposure. As artificial intelligence becomes more tightly integrated with cloud services, organizations must move beyond periodic testing and instead monitor behavior, detect anomalies, and actively block suspicious activity to reduce evolving risk.

Publicly Exposed Google Cloud API Keys Gain Unintended Access to Gemini Services #APIKeys #CyberAttacksGemini #CyberCrime

iT4iNT SERVER

@it4intserver.bsky.social

2 weeks ago

Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement New research has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data. The findings come from Truffle Security, which discovered nearly 3,000 Google API keys (identified by the prefix "AIza") embedded in client-side code to provide Google-related services like

iT4iNT SERVER Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement VDS VPS Cloud #GoogleCloud #APIkeys #DataSecurity #Gemini #CyberSecurity

The Daily Tech Feed

@thedailytechfeed.com

2 weeks ago

Critical vulnerability alert: Legacy Google API keys can silently expose private data via Gemini AI endpoints. Developers must audit and restrict API key access immediately. #CyberSecurity #GoogleCloud #APIKeys Link: thedailytechfeed.com/google-api-k...

TechnoTenshi 🏳️‍⚧️

@technotenshi.bsky.social

2 weeks ago

Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co. Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.

TruffleHog: Google API keys can become Gemini creds when Generative Language API is enabled. If leaked, they may expose Gemini files and cachedContents and run up charges. Mitigate by scoping keys to Gemini or rotating any public key.

#InfoSec #CloudSecurity #APIKeys

TechNadu

@technadu.com

2 weeks ago

Read the full report:
www.technadu.com/claude-code-...

How prepared is your DevSecOps team for AI development supply chain threats? Share your thoughts.
#CyberSecurity #AI #ClaudeCode #DevSecOps #RCE #APIKeys #SupplyChainSecurity

CySecurity News

@cysecuritynews.bsky.social

2 weeks ago

How Poorly Secured Endpoints Are Expanding Risk in LLM Infrastructure   As organizations build and host their own Large Language Models, they also create a network of supporting services and APIs to keep those systems running. The growing danger does not usually originate from the model’s intelligence itself, but from the technical framework that delivers, connects, and automates it. Every new interface added to support an LLM expands the number of possible entry points into the system. During rapid rollouts, these interfaces are often trusted automatically and reviewed later, if at all. When these access points are given excessive permissions or rely on long-lasting credentials, they can open doors far wider than intended. A single poorly secured endpoint can provide access to internal systems, service identities, and sensitive data tied to LLM operations. For that reason, managing privileges at the endpoint level is becoming a central security requirement. In practical terms, an endpoint is any digital doorway that allows a user, application, or service to communicate with a model. This includes APIs that receive prompts and return generated responses, administrative panels used to update or configure models, monitoring dashboards, and integration points that allow the model to interact with databases or external tools. Together, these interfaces determine how deeply the LLM is embedded within the broader technology ecosystem. A major issue is that many of these interfaces are designed for experimentation or early deployment phases. They prioritize speed and functionality over hardened security controls. Over time, temporary testing configurations remain active, monitoring weakens, and permissions accumulate. In many deployments, the endpoint effectively becomes the security perimeter. Its authentication methods, secret management practices, and assigned privileges ultimately decide how far an intruder could move. Exposure rarely stems from a single catastrophic mistake. Instead, it develops gradually. Internal APIs may be made publicly reachable to simplify integration and left unprotected. Access tokens or API keys may be embedded in code and never rotated. Teams may assume that internal networks are inherently secure, overlooking the fact that VPN access, misconfigurations, or compromised accounts can bridge that boundary. Cloud settings, including improperly configured gateways or firewall rules, can also unintentionally expose services to the internet. These risks are amplified in LLM ecosystems because models are typically connected to multiple internal systems. If an attacker compromises one endpoint, they may gain indirect access to databases, automation tools, and cloud resources that already trust the model’s credentials. Unlike traditional APIs with narrow functions, LLM interfaces often support broad, automated workflows. This enables lateral movement at scale. Threat actors can exploit prompts to extract confidential information the model can access. They may also misuse tool integrations to modify internal resources or trigger privileged operations. Even limited access can be dangerous if attackers manipulate input data in ways that influence the model to perform harmful actions indirectly. Non-human identities intensify this exposure. Service accounts, machine credentials, and API keys allow models to function continuously without human intervention. For convenience, these identities are often granted broad permissions and rarely audited. If an endpoint tied to such credentials is breached, the attacker inherits trusted system-level access. Problems such as scattered secrets across configuration files, long-lived static credentials, excessive permissions, and a growing number of unmanaged service accounts increase both complexity and risk. Mitigating these threats requires assuming that some endpoints will eventually be reached. Security strategies should focus on limiting impact. Access should follow strict least-privilege principles for both people and systems. Elevated rights should be granted only temporarily and revoked automatically. Sensitive sessions should be logged and reviewed. Credentials must be rotated regularly, and long-standing static secrets should be eliminated wherever possible. Because LLM systems operate autonomously and at scale, traditional access models are no longer sufficient. Strong endpoint privilege governance, continuous verification, and reduced standing access are essential to protecting AI-driven infrastructure from escalating compromise.

How Poorly Secured Endpoints Are Expanding Risk in LLM Infrastructure #APIKeys #cyberintrusion #DataBreach

CySecurity News

@cysecuritynews.bsky.social

3 weeks ago

Critical better-auth Flaw Enables API Key Account Takeover  A flaw in the better-auth authentication library could let attackers take over user accounts without logging in. The issue affects the API keys plugin and allows unauthenticated actors to generate privileged API keys for any user by abusing weak authorization logic. Researchers warn that successful exploitation grants full authenticated access as the targeted account, potentially exposing sensitive data or enabling broader application compromise, depending on the user’s privileges.  The better-auth library records around 300,000 weekly downloads on npm, making the issue significant for applications that rely on API keys for automation and service-to-service communication. Unlike interactive logins, API keys often bypass multi-factor authentication and can remain valid for long periods. If misused, a single key can enable scripted access, backend manipulation, or large-scale impersonation of privileged users.  Tracked as CVE-2025-61928, the vulnerability stems from flawed logic in the createApiKey and updateApiKey handlers. These functions decide whether authentication is required by checking for an active session and the presence of a userId in the request body. When no session exists but a userId is supplied, the system incorrectly skips authentication and builds user context directly from attacker-controlled input. This bypass avoids server-side validation meant to protect sensitive fields such as permissions and rate limits.  In practical terms, an attacker can send a single request to the API key creation endpoint with a valid userId and receive a working key tied to that account. The same weakness allows unauthorized modification of existing keys. Because exploitation requires only knowledge or guessing of user identifiers, attack complexity is low. Once obtained, the API key allows attackers to bypass MFA and operate as the victim until the key is revoked.  A patched version of better-auth has been released to fix the authorization checks. Organizations are advised to upgrade immediately, rotate potentially exposed API keys, review logs for suspicious unauthenticated requests, and tighten key governance through least-privilege permissions, expiration policies, and monitoring.  The incident highlights broader risks tied to third-party authentication libraries. Authorization flaws in widely adopted components can silently undermine security controls, reinforcing the need for continuous validation, disciplined credential management, and zero-trust approaches across modern, API-driven environments.

Critical better-auth Flaw Enables API Key Account Takeover #APIKeys #DataBreach #DataLeak

The Daily Tech Feed

@thedailytechfeed.com

3 weeks ago

Critical vulnerability in better-auth API keys plugin allows unauthenticated account takeovers. Immediate upgrade to version 1.3.26 recommended. #CyberSecurity #APIKeys #Authentication Link: thedailytechfeed.com/critical-bet...

ProgrammerHumor.io

@programmerhumor-io.bsky.social

1 month ago

Based On A True Story

Based On A True Story

#Chatgpt #security #Apikeys #debugging #Environmentvariables

programmerhumor.io/security-memes/based-on-...

Approov Mobile Security

@approov.bsky.social

4 months ago

The Unseen Storm: Securing APIs and Protecting Against Key Exposure The Unseen Storm: Securing APIs and Protecting Against Key Exposure This week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers. Key Takeaways from the Security Analysis: - Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs. - Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters. - Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax). - Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover. Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures: - Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key. - Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window. - Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443). Closing the Mobile API Security Trust Gap with Positive Authentication While these fundamentals are crucial, mobile app security introduces unique challenges, creating a concerning "trust gap". Traditional security measures like TLS, mutual TLS, embedded API keys, and signature-based approaches are often insufficient, as they are vulnerable to reverse engineering, MitM attacks, and spoofing. We discuss Approov, a solution designed for the mobile world that uses a positive trust model to authenticate the app instance itself, rather than just the user or the connection. - App Attestation: https://approov.io/ uses a challenge-response cryptographic protocol to dynamically measure the integrity of the runtime app image. - Tokens (JWT): Only genuine, untampered apps are granted a short-lived JSON Web Token (JWT). Requests without a valid token are immediately rejected by the backend API. - Protection against Reverse Engineering: Because the system does not rely on static secrets embedded in the app, traditional reverse engineering techniques are ineffective. Approov also provides a runtime secrets protection capability, allowing developers to remove third-party API keys from the app package entirely, substituting them only just in time for the API call after the app has passed attestation. - Benefits: This positive authentication model blocks sophisticated bots, automated scraping systems, and repackaged apps, ensuring that only registered, authentic versions of your application can access your valuable digital assets. Links & Resources Source Material Reference: - Excerpts from "https://undercodetesting.com/the-unseen-storm-how-a-simple-weather-app-exposes-critical-api-security-flaws/" - Excerpts from "https://approov.io/addressing-the-security-trust-gap-in-a-mobile-world" Sponsor: - Learn how Approov protects your revenue and business data by deploying Mobile Security: https://www.approov.io/ Keywords API security, mobile security, API key protection, reverse engineering, input validation, client-side vulnerabilities, app attestation, JWT, zero-trust architectures, rate limiting, cloud security, Denial-of-Wage, Man-in-the-Middle (MitM), Burp Suite, Approov. 

📣 New Podcast! "The Unseen Storm: Securing APIs and Protecting Against Key Exposure" on @Spreaker #apikeys #apisecurity #appauthentication #approov #cybersecurity #devsecops #infosec #mobilesecurity #websecurity #zerotrust

The Daily Tech Feed

@thedailytechfeed.com

4 months ago

Critical vulnerability in better-auth API keys plugin (CVE-2025-61928) allows unauthenticated attackers to create privileged credentials. Update to version 1.3.26+ immediately. #CyberSecurity #APIKeys #BetterAuth Link: thedailytechfeed.com/critical-vul...

jiVoice

@jivoice.bsky.social

4 months ago

What is an API? A Simple Guide for Beginners (2024) You Use Them Every Day, But What Exactly *Is* an API? Let's try a little experiment. Pull out your phone. Open your favorite weather app. What's the temperature outside? Now,…

What is an API? A Simple Guide for Beginners (2024) #APIintegration #webAPI #RESTAPIexplained #whatisanendpoint #APIkeys #JSONdata #APIexample #applicationprogramminginterface #whatisanAPI #APItutorial

Griff Barker

@griff.systems

5 months ago

Secrets in the Shell: Securely Entering Secrets in PowerShell Users of PowerShell may have encountered or make use of the SecretManagement and SecretStore modules to securely handle their passwords, API keys, and other sensitive secrets both for daily use as wel...

You might be *storing* your secrets securely in PowerShell, but are you *entering* them securely?

www.linkedin.com/pulse/secret...

#PowerShell #pwsh #SecretManagement #SecretStore #Passwords #Credentials #APIKeys #SystemsAdministration #Automation #Security #CommandLine #Terminal #Shell

CySecurity News

@cysecuritynews.bsky.social

6 months ago

Salesloft Integration Breach Exposes Salesforce Customer Data   A recent cyber incident has brought to light how one weak link in software integrations can expose sensitive business information. Salesloft, a sales automation platform, confirmed that attackers exploited its Drift chat integration with Salesforce to steal tokens that granted access to customer environments. Between August 8 and August 18, 2025, threat actors obtained OAuth and refresh tokens connected to the Drift–Salesforce integration. These tokens work like digital keys, allowing connected apps to access Salesforce data without repeatedly asking for passwords. Once stolen, the tokens were used to log into Salesforce accounts and extract confidential data. According to Salesloft, the attackers specifically searched for credentials such as Amazon Web Services (AWS) keys, Snowflake access tokens, and internal passwords. The company said the breach only impacted customers who used the Drift–Salesforce connection, while other integrations were unaffected. As a precaution, all tokens for this integration were revoked, forcing customers to reauthenticate before continuing use. Google’s Threat Intelligence team, which is monitoring the attackers under the name UNC6395, reported that the group issued queries inside Salesforce to collect sensitive details hidden in support cases. These included login credentials, API keys, and cloud access tokens. Investigators noted that while the attackers tried to cover their tracks by deleting query jobs, the activity still appears in Salesforce logs. To disguise their operations, the hackers used anonymizing tools like Tor and commercial hosting services. Google also identified user-agent strings and IP addresses linked to the attack, which organizations can use to check their logs for signs of compromise. Security experts are urging affected administrators to rotate credentials immediately, review Salesforce logs for unusual queries, and search for leaked secrets by scanning for terms such as “AKIA” (used in AWS keys), “Snowflake,” “password,” or “secret.” They also recommend tightening access controls on third-party apps, limiting token permissions, and shortening session times to reduce future risk. While some extortion groups have publicly claimed responsibility for the attack, Google stated there is no clear evidence tying them to this breach. The investigation is still ongoing, and attribution remains uncertain. This incident underlines the broader risks of SaaS integrations. Connected apps are often given high levels of access to critical business platforms. If those credentials are compromised, attackers can bypass normal login protections and move deeper into company systems. As businesses continue relying on cloud applications, stronger governance of integrations and closer monitoring of token use are becoming essential.

Salesloft Integration Breach Exposes Salesforce Customer Data #APIKeys #AWS #CyberAttacks

IPinfo - IP Data Provider

@ipinfo.bsky.social

7 months ago

Need an IP geolocation API key?
Takes < 60 seconds to get started with IPinfo.

Here’s how to:
🔑 Get your token
🌐 Call the API via cURL, JS, or browser
🧪 Test a response

Step-by-step guide → ipinfo.io/blog/how-to-...

#IPData #APIKeys #DevTools

Austin Reed | Horizon Dev

@horizondev.bsky.social

7 months ago

STOP sending API keys over email 😨
Use secure tools like One Time Secret 🔐

Pro tip for managing keys across workflows 👇
This is how you avoid breaking client automations.

Tap to watch 👉 youtu.be/mw1V2GoYHsk

🔥🔥 Join our FREE community 👉 www.skool.com/automation-m...

#APIkeys #n8n #Automation

Elizabeth Fuentes L

@elizabethfue12.bsky.social

8 months ago

🔑 Amazon Bedrock API Keys: Autenticación Simplificada para Desarrolladores 🔑 Amazon Bedrock API Keys: Autenticación Simplificada para Desarrolladores ¿Qué...

📢🚨Nuevo blog #AWSEspanol en #devto: 🔑 Amazon Bedrock API Keys: Autenticación Simplificada para Desarrolladores

#AmazonBedrock #APIKeys #Developers #Authentication #CloudSecurity

Elizabeth Fuentes L

@elizabethfue12.bsky.social

8 months ago

🔑 Amazon Bedrock API Keys: Simplified Authentication for Developers Amazon Bedrock now offers two types of API Keys to simplify programmatic authentication, each...

🚀📝 🔑 Amazon Bedrock API Keys: Simplified Authentication for Developers

#AmazonBedrock #APIKeys #CloudSecurity #AWS #ProgrammaticAuthentication

FireTail - AI Security Platform

@firetailai.bsky.social

10 months ago

An employee leaked API keys from xAI, causing information breaches in Spacex, Tesla, and more…

Read the article here: winbuzzer.com/2025/05/02/a...

Keep up with incidents like this with FireTail’s breach tracker: www.firetail.ai/ai-breach-tr...

#Breaches #Musk #Tesla #SpaceX #APIKeys #DataLeak

CySecurity News

@cysecuritynews.bsky.social

10 months ago

Rise in Data-Stealing Malware Targeting Developers, Sonatype Warns   A recent report released on April 2 has uncovered a worrying rise in open-source malware aimed at developers. These attacks, described as “smash and grab” operations, are designed to swiftly exfiltrate sensitive data from development environments. Brian Fox, co-founder and CTO of Sonatype, explained that developers are increasingly falling victim to deceptive software packages. Once installed, these packages execute malicious code to harvest confidential data such as API keys, session cookies, and database credentials—then transmit it externally. “It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.” Sonatype, a leader in software supply-chain security, revealed that 56% of malware identified in Q1 2025 focused on data exfiltration. These programs are tailored to extract sensitive information from compromised systems. This marks a sharp increase from Q4 2024, when only 26% of open-source threats had such capabilities. The company defines open-source malware as “malicious code intentionally crafted to target developers in order to infiltrate and exploit software supply chains.” Fox emphasized that these attacks often begin with spear phishing tactics—posing as legitimate software packages on public repositories. Minor changes, such as replacing hyphens with underscores in filenames, can mislead even seasoned developers. “The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us. These stolen data fragments—while small—can have massive consequences. API keys, hashed passwords, and cookie caches serve as backdoors for broader attacks. “They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said. The 2025 report highlights early examples: Compromised JavaScript packages on npm were found to steal environment variables, which typically contain API tokens, SSH credentials, and other sensitive information. A fake npm extension embedded spyware that enabled complete remote access. Malicious packages targeted cryptocurrency developers, deploying Windows trojans capable of keylogging and data exfiltration. These packages had over 1,900 downloads collectively. A separate report published by Sonatype in November 2024 reported a 156% year-over-year surge in open-source malware. Since October 2023, over 512,847 malicious packages have been identified—including but not limited to data-exfiltrating malware.

Rise in Data-Stealing Malware Targeting Developers, Sonatype Warns #APIKeys #Cybersecurity #DataBreach

CySecurity News

@cysecuritynews.bsky.social

11 months ago

HaveIBeenPwned Founder Compromised in Phishing Incident   The cybersecurity expert Troy Hunt, who founded the data breach notification platform Have I Been Pwned, recently revealed that he had been the victim of a phishing attack that was intended to compromise his subscriber list for the attacker to gain access to his data. Hunt explained the circumstances surrounding this incident in a detailed blog post, and provided screenshots of the deceptive email which enabled the attack to succeed. In the fraudulent message, the author impersonated Mailchimp, a legitimate email marketing company, and embedded a hyperlink that was directed to a nearly identical, but fraudulent domain, which was a common phishing attack. It was very difficult to distinguish at a glance between the spoofed and authentic domains, which is why MailChimp-sso.com (now deactivated) is so closely similar. In Hunt's case, he acknowledged that he was severely fatigued at the time of the attack, which made it harder for him to act correctly. He also mentioned that he was experiencing jet lag at the time of the attack.  In response to the email, he accidentally entered his credentials along with the one-time password, which was used for authentication. However, the fraudulent webpage did not proceed to the expected interface as he expected, signalling that the attack had been carried out. As a result of this incident, phishing scams represent a very prevalent risk, which underscores the importance of maintaining constant vigilance, even among cybersecurity professionals. As soon as Troy Hunt discovered that he had been victimized by a phishing scam, he reset his password and reviewed his account activity immediately. However, since the phishing attack was highly automated, his credentials were already exfiltrated by the time he could respond. Although Hunt has extensive cybersecurity experience, this particular phishing attempt proved to be extremely successful.  Hunt attributes the success to both his exhaustion after a long flight, as well as the sophistication of the email that was intended to fool others. According to him, the phish was "well-crafted" and was subtly manipulating psychological triggers. In the email, rather than utilizing overt threats or excessive urgency, it was suggested that he would not be able to send newsletters unless he took action. It was thus possible to send the email with just the right amount of apprehension to prompt action without creating suspicions.  As a result, Hunt, the founder of the Have I Been Pwned platform, a platform that alerts people to compromised credentials, has taken steps to ensure that the information exposed in this incident will be incorporated into his platform in the future, which he hopes will lead to improved performance. A direct notification will be sent to individuals who have been affected by the breach, including both current subscribers and those who have already unsubscribed but are still impacted by the breach.  Troy Hunt, a cybersecurity expert who runs a blog dedicated to cyber security and privacy, was targeted on March 25, 2018, by a phishing attack that compromised subscriber data from his blog. The attack originates from an email that impersonates Mailchimp, the platform he uses for sending out blog updates via email. According to the fraudulent message, his account had been suspended temporarily because of a spam complaint and he was required to login in order to resolve it. The fake email made it look authentic by threatening disruption of service and creating a sense of urgency. Hunt was unable to distinguish this attack despite his extensive experience in identifying similar scams, as he was fatigued and jet lag affected his judgment in the process. In his attempt to log in with the email's link, he noticed an anomaly-his password manager did not automatically fill in his credentials. As a result, this could indicate that the website is fraudulent, but this is not a definitive indication, since legitimate services sometimes require a login from a different domain in some cases.  As a result of the attack, approximately 16,000 email records were successfully exfiltrated, including those of active and unsubscribed readers alike. It is the result of Mailchimp's policy of retaining unsubscribed user information, a practice that is now being reviewed. There were emails, subscription statuses, IP addresses, location metadata and email addresses included in the compromised data, though the geolocation data did not pinpoint subscriber locations specifically.  When the breach was discovered, immediate steps were taken to prevent further damage from occurring. It was determined that the attacker's API key would be revoked by Mailchimp, and the phishing website would be taken offline once the password was reset. Founder of Have I Been Pwned, a platform that tracks data breaches, Hunt has now added this incident to its database, making sure that affected users have been made aware of the incident.  As phishing has become increasingly sophisticated over the years, it has moved beyond stereotypical poorly worded emails and implausible requests, moving into new levels of complexity. Cybercriminals today employ extremely sophisticated tactics that take advantage of human psychology, making it more and more difficult for consumers to distinguish between legitimate and fraudulent communications. The recent incident highlights the growing risks associated with targeted phishing attacks, as well as the importance of cybersecurity awareness and defense.  Key Insights and Takeaways: Psychological Manipulation and the Subtle Use of Urgency  The majority of phishing emails are crafted to create a feeling of immediate panic, such as threats of account suspension or urgent payment requests, causing immediate panic within the target. However, modern attackers have honed their strategies, utilizing subtle psychological strategies to weaken the defences of their targets. As a matter of fact, in this case, the fraudulent email implied a very minor yet urgent issue: that the newsletter could not be sent. To manipulate the recipient into taking action, the email created just enough concern without raising suspicions, which led the recipient to respond to the email effectively. It is therefore imperative to recognize psychological manipulation in social engineering attacks, even for small requests that are relatively urgent, especially when it comes to logging into an account or updating one's credentials, to be viewed with suspicion.  Password Manager Behavior as a Security Indicator  In this attack, several red flags were pointing at Hunt's password manager's behaviour. Password managers are designed to recognize and auto-fill credentials only when they are used on legitimate websites. It should have been a warning sign in this case that the credentials of the user failed to automatically populate on the website, which could have indicated the website was fraudulent. By paying close attention to their password manager behaviour, users will be able to become more aware of security risks associated with their password manager. The site may be a spoofed one if the credentials are not automatically filled. Instead of entering the login details manually, users should double-check the source of the website and confirm it is authentic before proceeding with the transaction.  The Limitations of One-Time Passwords (OTPs) in Phishing Attacks  The multi-factor authentication (MFA) technique is widely considered to be one of the best security measures available, but it is not immune to phishing attacks. In this case, the attackers also requested Hunt to provide a password along with an OTP after he provided his username and password. Once he provided the password, the attackers gained access to his legitimate account immediately.  A major weakness of OTP-based authentication is the inability to protect against real-time phishing attacks, where credentials are stolen and used instantly. The risk can be mitigated by requiring users to enter OTPs when they see sites that look suspicious or differ slightly from their usual login flow. Users are advised to be cautious when they are asked to enter OTP. Passkeys as a Stronger, Phishing-Resistant Alternative There is no better way to authenticate a user than using passkeys, which are cryptographic credentials linked to the device of a user instead of traditional passwords. Passkeys are based on biometric authentication, for example, fingerprints, facial recognition, or even on-device authentication mechanisms.  As passkeys are not associated with manually entering credentials, they have a much higher resistance to phishing attacks than traditional passwords. Passkeys work on the trust-based model, unlike passwords and OTPs, where they require physical access to the device registered for authentication. In contrast to traditional login methods, passkeys are a powerful alternative that can be used in place of traditional login methods and can serve as a valuable defence against phishing attempts as well.  The Importance of Continuous Security Awareness  Despite their expertise, even cybersecurity experts can be susceptible to sophisticated attacks, highlighting the importance of maintaining constant vigilance. The best way to enhance your security is to verify URLs carefully – Keep an eye out for slight misspellings or variations in URLs, as attackers are often able to create a lookalike URL by using security keys or passkeys. By using hardware-based authentication, such as YubiKeys, or passkeys, you can be assured that your information will be secure. If anyone receives a suspicious email asking for login credentials, security updates, or sensitive actions, be cautious and verify the message separately.  Using Advanced Threat Protection – Organizations should take advantage of tools powered by artificial intelligence that are capable of detecting phishing attempts and blocking them in real-time. Educating Employees and Individuals – By attending regular cybersecurity training, you can become aware of the ever-evolving tactics used by phishing websites, minimizing the chances of human error.  Although it is not possible to ensure complete protection against phishing attacks with just one security measure, adopting a multi-layered approach, a combination of awareness, technological safeguards, and behavioural vigilance, can greatly reduce your chances of becoming a victim of the attack. Despite being an experienced cybersecurity professional, even the most experienced individuals are not immune to social engineering techniques as demonstrated by the Troy Hunt incident.  There was a significant contribution of fatigue and reduced attentiveness in this case, leading to a misjudgment that was essentially avoidable. It is known that social engineering can be extremely effective when it is employed in the right circumstances to reach the right people at the right time, resulting in a misjudgment that could have been avoided if it had been implemented correctly. The incident illustrates the way cybercriminals are using human weaknesses to achieve their objectives by exploiting human vulnerabilities.  According to Aditi Gupta, a principal security consultant at Black Duck, attackers use a variety of tactics to manipulate unsuspecting victims, such as fear, urgency, and fatigue, to fool inexperienced people, reinforcing the theory that no one can escape sophisticated phishing schemes altogether. However, Hunt has been praised for being transparent in sharing his experience, which has served as a powerful tool for educating others about the risks associated with cybersecurity, despite the setbacks he has experienced.  Despite admitting that he had made mistakes, he also expressed concern about Mailchimp’s security practices, especially the fact that the company did not offer two-factor authentication that is phishing resistant and kept intact for years to come. Cyber threats are not only mitigated through continuous vigilance, robust authentication mechanisms, and organizational responsibility, but also through continuous vigilance, robust authentication mechanisms, and organizational responsibility.  The threat of social engineering attacks continues to increase and to remain protected from these attacks, it is imperative to strengthen security protocols, eliminate conventional authentication methods, and maintain cybersecurity awareness throughout the organization.

HaveIBeenPwned Founder Compromised in Phishing Incident #APIKeys #CredentialPhishing #CyberAttacks