By Andrew Bartlam, Flare

Cybersecurity efforts employed by third-party vendors are increasingly having knock-on effects on organizations. A recent attack on theU.S. Treasury Department, within the Treasury Department's Office of Foreign Assets Control (OFAC) and the Office of the Secretary, was conducted through anexposed API key of a software contractor serving the government institution. This inside view could lead to espionage designed to uncover sanctions planning and high-level government strategy. For companies undergoing similar cyber-related attacks, the stakes are still high. Microsoft reported$3.5 billion in losses in 2024.

In collaboration with Flare,Verizon's DBIR found that scanners actively looking for secrets within public code repositories have had success. One of the more surprising findings is that a high number ofGitLab tokens, representing 50% of all development and CI/CD secrets, are being leaked. Moreover, 43% of disclosed cloud-infrastructure secrets are Google Cloud API keys. Yet key management is still treated as an afterthought, until it's too late.

Poorly configured pipelines and static, long-lived token scopes are the most common ways secrets are leaked and exploited at scale. When IT teams have complex, opaque workflows, unauthorized access is harder to detect. Unlike ransom attacks, infostealer malware can often go undetected, stealing data in the background.

Related:Beyond the Moat: Why There Is Safety in Layers

Many types of malware are actually designed to quickly delete themselves or cover their tracks after execution. This tactic, known as self-deletion or anti-forensics, is commonly used to evade detection and forensic investigation. Organizations must dissect how these issues compromise the keys to ensure proper protection and avoid malicious access across systems.

Understanding API keys' limitations and methods for securing them will help IT security teams keep confidential organizational data in the right hands.

Secure API Key Limitations

APIs represent access points to company applications and, in some cases, customer personally identifiable information (PII) and third-party services. API keys are codes used to identify the application or project that's calling an API, block anonymous traffic, and track API usage.

Infostealers' sole purpose is to steal credentials and API keys to enable unrecognizable malicious access and control of applications. These sophisticatedremote access Trojans (RATs) systematically exfiltrate API keys, browser-saved credentials, session cookies, browser fingerprints, and other sensitive system data. If an API key has access to a tenant, so does the user of that API key.

Related:How to Shift Security Left in Complex Multi-Cloud Environments

Static token scopes are a key limitation, since the permissions of that API key remain until the API key expires or is revoked. However, IT security teams may not notice an infostealer captured their information until months or even years after. The FBI continued to review the Raccooninfostealer case, finding new stolen data in 2023 and 2024, two years after they initially recovered50 million unique credentials.

IT security teams also must be meticulous indesigning CI/CD pipelines. Misconfigured pipelines that grant excessive admin or write access permissions to users can expose sensitive logs containing API keys. Innocent users may accidentally make API keys public, particularly if developers have hardcoded them into a CI/CD script for quick testing. Research intomore than 156,000 iOS apps unveiled more than 815,000 hardcoded secrets, with 71% of apps leaking at least one secret.

Moreover, if a malicious actor has gained access to shared drives since API keys were rotated, they can potentially access new keys. Since the CI/CD pipeline is compromised, key rotation also no longer suffices as protection.

Vikas Basra, global head of the Intelligent Engineering Practice at Ness Digital Engineering, said, "Completing a release cycle takes around three to six months due to rigid hierarchies, manual QA, and limited CI/CD automation."

Related:The New Front Line: API Risk in the Age of AI-Powered Attacks

Automatic Key Invalidation

By default, Azure OpenAI API keys expire every six months. In some other cases, API keys expire at the end of the contract with the third party, or they may not expire at all. That means once the key is stolen, it may be used indefinitely until its expiration date unless the project owner revokes or regenerates it. True security means keys that instantly invalidate if misused.

While API keys don't identify users, they identify projects and traffic so that API producers can debug an issue or see their application's usage. Organizations can use this insight to recognize and automate key invalidation when unusual traffic behavior occurs. Users of the key would be automatically blocked from accessing the API, and only those authorized would be sent the updated key. Since this happens in real time, pipelines should not be compromised.

To avoid the key being invalidated, a hacker would need to use the key from the same geo/IP address, mimic similar traffic patterns, and use it around the same time as the original key owner.

However, anomaly detection needs to be extremely reliable, because false positives — cases where normal behavior is mistakenly flagged as suspicious — can knock the system offline. A false positive might occur if the system sees a sudden traffic spike, a new IP address, or an unexpected usage pattern and wrongly concludes the key has been compromised. Since these kinds of usage anomalies are fairly common, the real question becomes: How much effort is someone willing to put into configuring this?

Developers can look out for providers', such as Google's,endpoints for automatic key invalidation. However, they should be cautious because, in the case of OpenAI and smaller providers, there usually isn't an option to programmatically invalidate and refresh the API key.

Dark Web Monitoring

Cybersecurity leaders do not have the luxury of throwing caution to the wind; even with the most well-articulated algorithms and endpoint protection, infostealer malware might still quietly swipe credentials from under an organization's nose. A victim's data can be for sale on the dark web before they even notice they've been hit. Human error, if nothing else (and there is a LOT else), means that things will be exposed, stolen, hacked, and delivered to the dark web, so it's important to set those tripflares early to warn you as soon as your credentials become exposed.

Charlie Sander, CEO of edtech cybersecurity provider ManagedMethods, highlighted the scale of the issue for educational institutions: "The first months of 2025 have already raised serious concerns about data security in the education sector and the potential long-term consequences for affected students and staff. … The hackers behind thePowerSchool breach are reported to have stolen data records for 62.4 million students and 9.5 million teachers."

Real-time dark web monitoring means being in the clear, deep, and dark web communities where malicious actors buy and sell stolen confidential data. Keeping a pulse on illegal data transactions and actively searching for organizational data, keys, and credentials enable IT teams to identify a leak before it escalates into a breach. IT teams can do a few things with this information:

A 2023 survey found thatonly 13% of organizations could prevent more than half of API attacks. Human error is also the most likely root cause of leaked credentials. With increased visibility into leaked information and additional training for employees, organizations can better protect themselves from repeat attacks.

Infostealer malware and malicious attacks are surging, and automation is enabling malicious actors to invade at scale. Organizations are up against more advanced breaches that implicate entire supply chains. Getting out beyond the perimeter and catching stolen credentials early, learning from the leakage, and modifying API key security and employee training accordingly help keep malicious parties out of business, but it's critical to stay a step ahead.

As the acclaimed author H. Jackson Brown Jr. once said: "The best preparation for tomorrow is doing your best today."

About the author:

Andrew Bartlam is VP EMEA and Global Channel at cybersecurity SaaS companyFlare. He is a 30-year industry veteran having occupied senior management, sales and strategic alliances roles, both in the U.S. and UK, at several high-tech scale-ups and at industry analyst Gartner. Andrew's last three companies have all been cyber-related, including CipherCloud, Orca Security, and Instart. He has been part of four IPOs, and in his spare time, he is an advisor to a handful of tech startup founders. He is passionate about the role of Channel in scaling a business. Andrew graduated from the University of Portsmouth with a degree in politics and international relations.

• ITPro Today's 2025 IT Priorities Report

  Aug 8, 2025

• Edge Computing Trends: Adoption, Challenges, and Future Outlook

  Jul 15, 2025

• ITPro Today’s 2024 State of DevOps Report

  Dec 16, 2024

• BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster Recovery

  Oct 10, 2024