Nearly 13 Million Secrets Spilled Via Public GitHub Repositories

Written by

Developers accidentally leaked 12.8 million secrets on public GitHub repositories in 2023, a 28% increase on the previous year, according to a new report from GitGuardian.

The security vendor claimed the figure represents a quadrupling of exposed secrets since 2021 and can be pegged to the growth in GitHub repositories.

It said seven in 1000 commits, 4.6% of active repositories and 11.7% of contributing authors exposed at least one secret last year.

Despite sending out 1.8 million alert emails during that time, GitGuardian claimed that 90% of exposed secrets remained active five days post-leakage, creating a persistent security gap. Just 2.6% were revoked within one hour of notification via email.

“Developers erasing leaky commits or repositories instead of revoking are creating a major security risk for companies, which will remain vulnerable to threat actors mirroring public GitHub activity for as long as the credential remains valid,” said GitGuardian CEO, Eric Fourrier. “These zombie leaks are the worst.”

Read more on GitHub security risks: Security Experts Urge IT to Lock Down GitHub Services

Some 50 million new repositories were added to GitHub in the past year, a 22% year-on-year increase. Three million overall repositories featured leaked secrets – the most common of which were Google API keys, MongoDB credentials, OpenWeatherMap tokens, Telegram Bot tokens, Google Cloud keys and AWS IAM.

These could give opportunistic threat actors a huge helping hand in compromising sensitive enterprise resources. GitGuardian also detected a 1212-times increase in OpenAI API key leaks and spotted even more leaked HuggingFace user access tokens, both indicating the growing popularity of AI services.

The IT sector was by far the worst culprit for leaking secrets, accounting for 65.9% of the total. It was followed by education, science & technology, retail, manufacturing, and finance and insurance.

GitGuardian urged action not only to discover but also to remediate these leaks.

“While the majority of security initiatives focus on detecting these leaks, the actual bottleneck lies in remediation. Simply alerting developers falls short; what’s truly essential is providing them with the necessary guidance and support to rectify their mistakes effectively,” its report argued.

What’s hot on Infosecurity Magazine?