Whoops! Most arXiv papers contain information never meant to be shared
Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain
the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in
Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles
and JavaScript.
Nearly all of the nearly three million papers available on the arXiv preprint server contain details the authors never meant to share, a new study finds.
The study, uploaded to arXiv in April and presented at theInstitute of Electrical and Electronics Engineers Symposium on Security and Privacy in San Francisco, California, in May, analysed around 2.7 million articles posted to the repository up until December 2025, amounting to 93% of the preprints. It found that 88% of submissions that contained LaTeX source files included some form of hidden information, from arguments between co-authors and to-do lists acknowledging weaknesses in the text, to passwords, GPS coordinates that can reveal a researcherâs home address, and application programming interface (API) keys â strings of characters that function like passwords for programmers1.
âWhat we report in the paper is really just the tip of the iceberg,â says Jan Pennekamp, a security and privacy researcher at RWTH Aachen University in Germany and first author of the study. Each preprint can have multiple versions, all of which remain online, and the team counted 12 million accompanying or âdanglingâ files that would need individual inspection to fully assess the extent of data leakage, Pennekamp explains.
arXiv is a preprint repository that is particularly popular in the physical and computational sciences. Founded in 1991, it requires authors whose manuscripts are written in LaTeX â a markup language used to typeset scientific papers â to upload their LaTeX source files and make them available alongside the PDF. But because LaTeX works like code, it also supports comments: lines that authors can read but that do not appear in the final document.
âThe vast majority of researchers only care about the PDF,â says Ricardo Henriques, a biophysicist at the AntĂłnio Xavier Institute of Chemical and Biological Technology in Oeiras, Portugal, who uploads his own papers to arXiv. âThat also makes most researchers not aware of the potential impact of leaving comments inside those LaTeX files.â
Whatâs exposed
Pennekamp and his colleagues examined three elements of arXiv submissions: dangling files, which arenât needed to produce the paper; embedded metadata in images and PDFs; and content such as comments in LaTeX source code. Among other things, the analysis surfaced private conversations between co-authors, including profane, unflattering or embarrassing comments about research competitors and to-do notes acknowledging weaknesses that were not mentioned in the published text rather than addressed.
Other researchers have also documented data leakage in the arXiv repository. In January, Giovanni Apruzzese, a computer scientist at Reykjavik University and the University of Liechtenstein in Vaduz, and web-security researcher Aurore Fass at the Inria Centre at CĂ´te dâAzur University in Sophia Antipolis, France, reported their analysis of 600,000 preprints, finding that 27% of them include âresidual dataâ that are not needed to produce the PDF2. A detailed analysis of 200 such preprints identified âundisclosed research details, or the presence of derogatory statementsâ in 20%, including comments such as âWTF does this mean?â
And last October, researchers in Budapest, Oslo and Abu Dhabi reported using large language models to scan roughly 100,000 arXiv submissions, identifying âsensitive disclosuresâ in about 10% of them3. These included social-security numbers, login credentials and private cloud-storage links.
Bradley Reaves, a computer scientist at North Carolina State University in Raleigh, and his team have documented a similar form of credential leakage in GitHub source-code repositories4. The arXiv problem is distinct, he says. On GitHub, developers know their repositories are public; when credentials leak, the mistake occurs in a space they know to be visible. But most researchers donât think of source files on arXiv as public documents, and much of what leaks isnât credentials but private working notes. Reaves says that âarXiv kind of breaks that mental modelâ.
Apruzzese agrees. With social media amplifying any discovery, a single embarrassing comment unearthed in a source file could go viral. âThese kinds of things can ruin the lives of some people,â he says.
Beyond comments, Pennekamp and his colleagues discovered 265 API keys, 4 private keys and 171 passwords. They found 7,326 submissions with GPS-tagged images â and, in 235 cases, the coordinates spanned commutable distances. A random check of ten such cases confirmed that nine pinpointed both a research building and a residential address, suggesting authors were accidentally sharing their home locations. The researchers uncovered and manually validated 699 Google Docs links granting editing access to anyone who clicked, exposing peer reviews, rebuttals and meeting minutes. In 18 cases, the links led to survey data from study participants. âIn some cases, it was pretty obvious that this was meant to be confidential,â Pennekamp says.
As part of responsible disclosure, the researchers contacted 2,660 affected authors, 112 of whom responded to a follow-up survey. Only 41% of that group said they were aware that arXiv publishes source files. âarXiv basically says this on the website,â Pennekamp says, adding that the site provides âhigh-level instructionsâ on how to clean up the source files, and that âthis is the authorâs responsibilityâ.
Enjoying our latest content?
Log in or create an account to continue
Access the most recent journalism from Nature's award-winning team
Explore the latest features & opinion covering groundbreaking research
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content â general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached â you'll always get the same 5 for this article.