
We used NerdyData's Custom Reporting tool and identified 757 distinct Secret or restricted Stripe API Keys across 1,056 unique domains.
Stripe Stripe API Keys are what power Stripe's e-commerce platform and give access to export customer data, business subscription data, and even charge customers. This can lead to security vulnerabilities and data breaches if the keys are not properly protected.
NerdyData's Custom Reporting product scans over 2.4 billion webpages, across 38 million registered domain names. With these custom reports, we are able to analyze and extract any HTML code that matches a particular search term.
In this case, we scanned for Stripe Payment Links using a regular expression that matches sk_live_ (full access secret keys) or rk_live_ (restricted permission keys). We were able to extract which URLs these keys were used on.
Below are obfuscated samples of the data we extracted of exposed API keys. If you have questions about the data, feel free to reach out to our team at support@nerdydata.com
NerdyData identified 757 distinct secret or restricted Stripe API keys across 1,056 unique domains by scanning over 2.4 billion webpages.
The scan identified both full access secret keys (prefixed with sk_live_) and restricted permission keys (prefixed with rk_live_) embedded in publicly accessible web pages.
NerdyData used its Custom Reporting tool to scan billions of webpages using a regular expression that matches live Stripe secret and restricted key prefixes, then extracted the URLs where those keys appeared.
Stripe API keys provide access to export customer data, business subscription data, and the ability to charge customers, meaning an exposed key can lead to data breaches or unauthorized financial activity.
No, publishable keys are designed for use in front-end and client-side code. Only secret keys (sk_live_) and restricted keys (rk_live_) need to be protected, as they are intended to remain within a secure server environment.
You should immediately rotate the compromised key in your Stripe Dashboard to prevent unauthorized access. Revoking the key is the most critical first step before investigating any potential misuse.
Secret and restricted API keys should never be hardcoded in source code or configuration files. Using environment variables or a secure secrets vault keeps keys out of publicly accessible code.
Yes, NerdyData welcomes questions about the data and can be reached at support@nerdydata.com. Note that this particular report is not available for sale due to the sensitive nature of the data.