What Happens When Your API Key Gets Leaked (Real Examples)

Published March 9, 2026 · 12 min read · By SPUNK LLC

API key leaks are not theoretical risks. They happen every day and the consequences range from unexpected bills to complete infrastructure compromise. Understanding what actually happens when a key is exposed helps you appreciate why credential security deserves serious engineering attention. Here are documented real-world examples of what follows an API key leak.

The Timeline of a Leaked Key

Before diving into specific incidents, it is important to understand how fast attackers move. Security researchers have consistently documented this timeline for keys pushed to public GitHub repositories:

0-1 minutes: Automated bots monitoring the GitHub Events API detect the commit containing a key pattern.
1-5 minutes: The key is tested against the corresponding API to verify it is valid.
5-30 minutes: If valid, the key is used for its most profitable purpose: spinning up cryptocurrency mining instances (for cloud keys), exfiltrating data, or making API calls on the victim's account.
1-24 hours: GitHub's secret scanning notifies the API provider, which may automatically revoke the key. But by this point, significant damage may have occurred.

Real-World Incidents

Capital One AWS Breach (2019) 100 million records exposed

In one of the largest cloud credential breaches on record, a former AWS employee exploited a misconfigured WAF to obtain temporary AWS credentials from the EC2 metadata service. These credentials gave access to Capital One's S3 buckets containing personal data of over 100 million customers, including Social Security numbers and bank account details. Capital One was fined $80 million by the OCC and settled a class-action lawsuit for $190 million. The breach demonstrated how a single credential misconfiguration in cloud infrastructure can lead to massive data exposure.

Firebase Admin Key in a Mobile App 116,000 user records exposed

A mobile app shipped with a Firebase admin key embedded in the client-side JavaScript bundle. Security researchers discovered that the key had full read and write access to the Firestore database. The exposed data included user emails, phone numbers, encrypted passwords, and partial payment information. The company faced regulatory scrutiny and had to notify all affected users under GDPR requirements. The fix took 10 minutes (rotate the key and move it server-side), but the breach response took 6 months.

Uber's Private GitHub Repository 57 million user records stolen

In one of the most high-profile credential leaks, attackers accessed a private GitHub repository used by Uber engineers. Inside, they found AWS credentials that gave them access to an S3 bucket containing personal data of 57 million riders and drivers. Uber paid the attackers $100,000 through their bug bounty program and did not disclose the breach for over a year, eventually resulting in regulatory fines and the CISO facing criminal charges for the cover-up.

Tesla Kubernetes Cryptomining (2018) Cloud resources hijacked for mining

Security researchers at RedLock discovered that Tesla's Kubernetes console was accessible without password protection. Attackers used the exposed credentials to access Tesla's AWS environment and deploy cryptocurrency mining software. The mining pods were carefully configured to consume limited CPU to avoid detection, and traffic was routed through CloudFlare to mask the mining pool connection. Tesla's AWS environment also contained sensitive telemetry data. The incident was reported through Tesla's bug bounty program and highlighted how exposed infrastructure credentials in container environments can lead to both resource abuse and data exposure.

Docker Hub Exposed Internal Keys 190,000 accounts compromised

In 2019, Docker Hub discovered unauthorized access to a database containing usernames, hashed passwords, and GitHub and Bitbucket tokens for approximately 190,000 accounts. The exposed tokens gave attackers potential access to private repositories linked to those accounts. Docker Hub forced password resets and revoked all exposed tokens, but the incident highlighted how a single credential breach can cascade across interconnected services.

Codecov Supply Chain Attack (2021) Credentials stolen from thousands of CI pipelines

Attackers modified Codecov's Bash Uploader script to exfiltrate environment variables — including API keys, tokens, and credentials — from customers' CI/CD pipelines. The compromised script ran undetected for over two months, collecting secrets from thousands of organizations including Twitch, HashiCorp, and other major companies. HashiCorp confirmed that its GPG signing key was exposed, and Twitch later suffered a massive data breach linked to the incident. The attack demonstrated how a single compromised credential in a supply chain tool can cascade across an entire ecosystem of organizations.

The Most Common Attack Patterns

Cryptocurrency Mining (Cloud Provider Keys)

This is the most common abuse of leaked AWS, GCP, and Azure credentials. Attackers spin up the most expensive GPU instances available across every region, deploy mining software, and extract value before the key is revoked. A single leaked AWS root key can generate over $100,000 in charges within 24 hours. Cloud providers have become better at detecting this pattern and often waive charges, but the account disruption is significant.

Data Exfiltration (Database and Storage Keys)

Keys that grant access to databases, S3 buckets, or other data stores are used to download everything accessible. Attackers may sell the data, use it for identity theft, or hold it for ransom. The value of the data often far exceeds any compute charges.

Service Abuse (SaaS API Keys)

Keys for services like Twilio (SMS), SendGrid (email), OpenAI (compute), or Stripe (payments) are used to consume services at the victim's expense. SMS keys are popular for sending spam or phishing messages. Email keys are used for spam campaigns. AI API keys are used for generating content at scale.

Lateral Movement

A leaked key with broad permissions can be used to discover and access other resources in the account. Attackers enumerate S3 buckets, database instances, Lambda functions, and other services to find additional credentials or valuable data. A single key can be the entry point that leads to full account compromise.

Why GitHub Secret Scanning Is Not Enough

GitHub's secret scanning program (which notifies API providers when recognized secret patterns appear in public repositories) has prevented millions of potential incidents. However, it is not a complete solution:

Detection delay. There is a window between when a key is pushed and when the provider is notified. Automated scanners exploit this window.
Not all providers participate. GitHub partners with major providers (AWS, Stripe, Google), but smaller or niche API providers may not have integration.
Custom secrets are not detected. Database passwords, internal service tokens, and application-specific secrets do not match GitHub's scanning patterns.
Private repos are limited. Secret scanning for private repositories requires GitHub Advanced Security, which is a paid feature for most organizations.
Forks and caches. Even after a key is revoked, copies may exist in forks, local clones, CI/CD logs, and web caches.

The Financial Reality

Based on aggregated incident data from security reports and public disclosures, here is what credential leaks typically cost:

Cloud provider keys (AWS/GCP/Azure): $5,000 to $150,000 in compute charges. Providers sometimes waive charges for first-time incidents, but repeated leaks result in full liability.
Payment processor keys (Stripe/Braintree): $500 to $50,000 in fraudulent charges, plus potential chargeback fees and account suspension.
Communication API keys (Twilio/SendGrid): $1,000 to $30,000 in messaging charges, plus potential account termination for spam abuse.
Data breach (database/storage keys): Average cost of $4.45 million per data breach (IBM 2023 Cost of a Data Breach Report), including notification, legal, regulatory fines, and reputational damage.

How to Detect If Your Keys Have Been Leaked

Proactive detection can limit damage. Implement these checks:

# Scan all repositories in your GitHub org for known secret patterns
gh api orgs/YOUR-ORG/repos --paginate -q '.[].full_name' | while read repo; do
  echo "Scanning $repo..."
  gitleaks detect --source="https://github.com/$repo" --exit-code 1
done

# Monitor AWS CloudTrail for access key usage from unknown IPs
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=AKIAEXAMPLE \
  --start-time 2026-03-01 \
  --end-time 2026-03-09

# Check if your keys appear in known breach databases
# Services like haveibeenpwned.com scan for exposed credentials
# Commercial tools like SpectralOps and GitGuardian provide continuous monitoring

Key Takeaway

API key leaks are not a matter of "if" but "when." The difference between a minor incident and a catastrophic breach is preparation: automated rotation, least-privilege permissions, real-time monitoring, and a practiced incident response plan. Every one of the incidents above was preventable with basic credential hygiene. The cost of prevention is minutes. The cost of a breach is months.

Protect Yourself: Recommended Tools

The Web Application Hacker's Handbook — understand how attackers discover and exploit exposed credentials.
YubiKey 5 NFC — Hardware Security Key — hardware 2FA prevents account takeover even if an API key is leaked.