Leak playbooks
Your API key leaked. You have about sixty seconds before an automated scraper starts using it. These playbooks are written for exactly that moment.
Leaked OpenAI API key
Your OpenAI key was committed to GitHub or shipped in a client bundle. Here is what an attacker can do in the first sixty seconds, how to rotate safely, and how to prevent the next one.
Leaked Supabase service-role key
The Supabase service-role key bypasses every Row-Level-Security policy you wrote. If yours was committed or exposed client-side, every row in every table is readable and writable. This is the most damaging leak in the AI-built-app era.
Leaked Stripe secret key (live)
Your live Stripe secret key grants full access to your Stripe account — create charges, issue refunds, pull customer data. Rotation is immediate; fraud reversal depends on how fast you rotated and what the attacker did.
Leaked AWS access-key pair
AWS access keys are scraped and validated in under 60 seconds. Spinning up GPU instances for mining, exfiltrating S3 buckets, and escalating through misconfigured IAM are the top-three attacker workflows.
Leaked Anthropic API key
Anthropic Claude API keys are scraped like OpenAI keys. The abuse pattern is similar — run inference until the spend cap trips — but Claude's higher per-token cost means a single leak can burn $5K in hours.
Leaked GitHub Personal Access Token
GitHub PATs grant repo-level access to the issuing account. A leaked classic PAT with `repo` scope gives an attacker read and write on every private repo the user can access. Fine-grained PATs are scoped but still dangerous.
Leaked Stripe restricted key
Stripe restricted keys (rk_live_*) grant limited scopes rather than full account access, but a leaked one still lets an attacker operate within those scopes. Rotate and audit scope on the next key.
Leaked Twilio Account SID + Auth Token
A Twilio Auth Token grants full access to your Twilio account: sending SMS, placing voice calls, purchasing numbers, and accessing call metadata. SMS fraud is the standard attacker workflow — international premium rates burn budget in hours.
Leaked SendGrid API key
SendGrid keys let anyone send email as your domain. Attackers use leaked SendGrid keys to run phishing campaigns that pass SPF/DKIM/DMARC because they are actually sent from your infrastructure.
Leaked Mailgun API key
Mailgun API keys let attackers send email from your domain with valid SPF/DKIM/DMARC. Rotate immediately; same attacker playbook as SendGrid.
Leaked Resend API key
Resend is the transactional-email service of choice for many Next.js apps. A leaked Resend key lets the attacker send email from your verified domain.
Leaked Google Cloud service account JSON
A service-account JSON grants the scopes of that service account — often broad (Storage Admin, BigQuery User, Firestore Admin). Leakage = full GCP compromise unless the SA was tightly scoped.
Leaked Azure storage connection string
An Azure Storage connection string contains the storage-account key. Leaking one grants read + write on every container in that storage account.
Leaked Firebase Admin SDK JSON
The Firebase Admin SDK grants full access to the project, bypassing every security rule. Worst-case credential for Firebase-backed apps.
Leaked Clerk secret key
Clerk secret keys authorize server-side operations including session creation, user impersonation, and organization management. Leakage = account takeover for every user.
Leaked Auth0 Management API token
Auth0 Management API tokens grant broad control over the tenant including user, role, and connection management. Leakage enables full account takeover across every user in the tenant.
Leaked Slack bot token
A Slack bot token (xoxb-*) grants the bot's full scope — often channel read, DM read, or user enumeration. Leakage = read access to whatever channels the bot was added to.
Leaked Discord bot token
A Discord bot token grants the bot's full permissions. Leakage = the attacker controls the bot as if they were its developer, including reading messages and performing any permitted moderation action.
Leaked Notion integration secret
A Notion integration secret grants access to every page and database the integration was added to. Leakage = read (and possibly write) on every shared surface.
Leaked Linear API key
Linear API keys grant access to the issuing user's full workspace scope. Leakage = attacker reads every team's issues, comments, and attachments.
Leaked Datadog API + App key
Datadog API keys ingest metrics; App keys query data. Leakage of both = ability to read every metric, log, and trace, and inject fake metrics to mask real incidents.
Leaked Sentry DSN (and auth token)
Sentry DSNs are intentionally public (they embed in client code). Sentry auth tokens are secret and grant API access. Know which you leaked.
Leaked PostHog project API key + personal token
PostHog project keys are client-safe (like Sentry DSN); personal API tokens grant broader access. Distinguish the two before rotating.
Leaked Vercel access token
A Vercel access token grants API access to deploy, read environment variables, and inspect project metadata. Leakage = full project compromise.
Leaked Netlify personal access token
Netlify PATs grant full API access to the issuing user's teams and sites. Similar blast radius to Vercel tokens.
Leaked npm access token
An npm token grants publish access to every package the owner can publish. Leakage of a publisher's token is the classic supply-chain attack vector — the attacker publishes a malicious version of a popular package.
Leaked Cloudflare API token
A Cloudflare API token can grant DNS edit, Workers deploy, zone purge, and more depending on scope. Broad-scope tokens are worst-case domain takeover.