Each entry below is taken from a real production scan. Names removed; mechanics intact. If your application resembles one of these, you may wish to find out before someone else does.
A B2B SaaS shipped sk_live_… directly in the React bundle. Anyone reading the page source could refund any customer. Fix took four minutes; the leak had been live for roughly three weeks.
The users table had no RLS policy. A single GET against /rest/v1/users returned the full member list to anyone with the anon key — which is, by definition, public.
A marketplace launched with the default Firebase quickstart rules in production. Their orders collection was world-writable. We found it by listing five candidate collections.
A chat app wired the key into a client-side fetch. Every page-load shipped a fresh, valid key. Token usage spiked two-hundred-fold in week four.
Source map files were served from /_next/static/chunks, exposing JWT verification logic, environment variable names, and a hardcoded admin email allowlist.
A bucket-listing endpoint returned bucket names including invoices and user-avatars. The names alone were enough reconnaissance for a targeted attempt.