
Some researchers who use the markup language LaTeX for typesetting are unwittingly making private information public.Credit: Tom Houghton/Nature
Nearly all of the nearly three million papers available on the arXiv preprint server contain details the authors never meant to share, a new study finds.
The study, uploaded to arXiv in April and presented at theInstitute of Electrical and Electronics Engineers Symposium on Security and Privacy in San Francisco, California, in May, analysed around 2.7 million articles posted to the repository up until December 2025, amounting to 93% of the preprints. It found that 88% of submissions that contained LaTeX source files included some form of hidden information, from arguments between co-authors and to-do lists acknowledging weaknesses in the text, to passwords, GPS coordinates that can reveal a researcher’s home address, and application programming interface (API) keys — strings of characters that function like passwords for programmers1.
“What we report in the paper is really just the tip of the iceberg,” says Jan Pennekamp, a security and privacy researcher at RWTH Aachen University in Germany and first author of the study. Each preprint can have multiple versions, all of which remain online, and the team counted 12 million accompanying or ‘dangling’ files that would need individual inspection to fully assess the extent of data leakage, Pennekamp explains.
arXiv is a preprint repository that is particularly popular in the physical and computational sciences. Founded in 1991, it requires authors whose manuscripts are written in LaTeX — a markup language used to typeset scientific papers — to upload their LaTeX source files and make them available alongside the PDF. But because LaTeX works like code, it also supports comments: lines that authors can read but that do not appear in the final document.
“The vast majority of researchers only care about the PDF,” says Ricardo Henriques, a biophysicist at the António Xavier Institute of Chemical and Biological Technology in Oeiras, Portugal, who uploads his own papers to arXiv. “That also makes most researchers not aware of the potential impact of leaving comments inside those LaTeX files.”
What’s exposed
Pennekamp and his colleagues examined three elements of arXiv submissions: dangling files, which aren’t needed to produce the paper; embedded metadata in images and PDFs; and content such as comments in LaTeX source code. Among other things, the analysis surfaced private conversations between co-authors, including profane, unflattering or embarrassing comments about research competitors and to-do notes acknowledging weaknesses that were not mentioned in the published text rather than addressed.
Other researchers have also documented data leakage in the arXiv repository. In January, Giovanni Apruzzese, a computer scientist at Reykjavik University and the University of Liechtenstein in Vaduz, and web-security researcher Aurore Fass at the Inria Centre at Côte d’Azur University in Sophia Antipolis, France, reported their analysis of 600,000 preprints, finding that 27% of them include “residual data” that are not needed to produce the PDF2. A detailed analysis of 200 such preprints identified “undisclosed research details, or the presence of derogatory statements” in 20%, including comments such as “WTF does this mean?”
arXiv at 20
And last October, researchers in Budapest, Oslo and Abu Dhabi reported using large language models to scan roughly 100,000 arXiv submissions, identifying “sensitive disclosures” in about 10% of them3. These included social-security numbers, login credentials and private cloud-storage links.
Bradley Reaves, a computer scientist at North Carolina State University in Raleigh, and his team have documented a similar form of credential leakage in GitHub source-code repositories4. The arXiv problem is distinct, he says. On GitHub, developers know their repositories are public; when credentials leak, the mistake occurs in a space they know to be visible. But most researchers don’t think of source files on arXiv as public documents, and much of what leaks isn’t credentials but private working notes. Reaves says that “arXiv kind of breaks that mental model”.
Apruzzese agrees. With social media amplifying any discovery, a single embarrassing comment unearthed in a source file could go viral. “These kinds of things can ruin the lives of some people,” he says.
Beyond comments, Pennekamp and his colleagues discovered 265 API keys, 4 private keys and 171 passwords. They found 7,326 submissions with GPS-tagged images — and, in 235 cases, the coordinates spanned commutable distances. A random check of ten such cases confirmed that nine pinpointed both a research building and a residential address, suggesting authors were accidentally sharing their home locations. The researchers uncovered and manually validated 699 Google Docs links granting editing access to anyone who clicked, exposing peer reviews, rebuttals and meeting minutes. In 18 cases, the links led to survey data from study participants. “In some cases, it was pretty obvious that this was meant to be confidential,” Pennekamp says.
As part of responsible disclosure, the researchers contacted 2,660 affected authors, 112 of whom responded to a follow-up survey. Only 41% of that group said they were aware that arXiv publishes source files. “arXiv basically says this on the website,” Pennekamp says, adding that the site provides “high-level instructions” on how to clean up the source files, and that “this is the author’s responsibility”.


