**BOSTON, USA, March 11th, 2025/CyberNewsWire/--**GitGuardian, the security leader behind GitHub's most installed application, today released its comprehensive "2025 State of Secrets Sprawl Report," revealing a widespread and persistent security crisis that threatens organizations of all sizes. The report exposes a 25% increase in leaked secrets year-over-year, with 23.8 million new credentials detected on public GitHub in 2024 alone. Most concerning for enterprise security leaders: 70% of secrets leaked in 2022 remain active today, creating an expanding attack surface that grows more dangerous with each passing day. "The explosion of leaked secrets represents one of the most significant yet underestimated threats in cybersecurity," said Eric Fourrier, CEO of GitGuardian. "Unlike sophisticated zero-day exploits, attackers don't need advanced skills to exploit these vulnerabilities—just one exposed credential can provide unrestricted access to critical systems and sensitive data."Eric Fourrier points to the 2024 U.S. Treasury Department breach as a warning: "A single leaked API key from BeyondTrust allowed attackers to infiltrate government systems. This wasn't a sophisticated attack—it was a simple case of an exposed credential that bypassed millions in security investments." "The explosion of leaked secrets represents one of the most significant yet underestimated threats in cybersecurity," said Eric Fourrier, CEO of GitGuardian. "Unlike sophisticated zero-day exploits, attackers don't need advanced skills to exploit these vulnerabilities—just one exposed credential can provide unrestricted access to critical systems and sensitive data."Eric Fourrier points to the 2024 U.S. Treasury Department breach as a warning: "A single leaked API key from BeyondTrust allowed attackers to infiltrate government systems. This wasn't a sophisticated attack—it was a simple case of an exposed credential that bypassed millions in security investments." Key Findings for Security Leaders The report identifies several critical trends that demand immediate attention: The Blind Spot: Generic Secrets Despite GitHub's Push Protection helping developers detect known secret patterns, generic secrets—including hardcoded passwords, database credentials, and custom authentication tokens—now represent more than half of all detected leaks. These credentials lack standardized patterns, making them nearly impossible to detect with conventional tools. Private Repositories: A False Sense of Security The analysis reveals a startling truth: a full 35% of all private repositories scanned contained at least one plaintext secret, shattering the common assumption that private repositories are secure: AWS IAM keys appeared in plaintext in 8.17% of private repositories—over 5× more frequently than in public ones (1.45%)
Generic passwords appeared nearly 3× more often in private repositories (24.1%) compared to public ones (8.94%)
MongoDB credentials were the most frequently leaked secret type in public repositories (18.84%) AWS IAM keys appeared in plaintext in 8.17% of private repositories—over 5× more frequently than in public ones (1.45%) Generic passwords appeared nearly 3× more often in private repositories (24.1%) compared to public ones (8.94%) MongoDB credentials were the most frequently leaked secret type in public repositories (18.84%) "Leaked secrets in private code repositories must be treated as compromised," emphasized Eric Fourrier. "Security teams must recognize that secrets should be treated as sensitive data regardless of where they reside." "Leaked secrets in private code repositories must be treated as compromised," emphasized Eric Fourrier. "Security teams must recognize that secrets should be treated as sensitive data regardless of where they reside." Beyond Code: Secrets Sprawl Across the SDLC Hardcoded secrets are everywhere, but especially in security blind spots like collaboration platforms and containers environments where security controls are typically weaker: Slack: 2.4% of channels within analyzed workspaces contained leaked secrets
Jira: 6.1% of tickets exposed credentials, making it the most vulnerable collaboration tool
DockerHub: 98% of detected secrets were embedded exclusively in image layers, with over 7,000 valid AWS keys currently exposed Slack: 2.4% of channels within analyzed workspaces contained leaked secrets Jira: 6.1% of tickets exposed credentials, making it the most vulnerable collaboration tool DockerHub: 98% of detected secrets were embedded exclusively in image layers, with over 7,000 valid AWS keys currently exposed The Non-Human Identity Crisis Non-human identities (NHIs)—including API keys, service accounts, and automation tokens—now vastly outnumber human identities in most organizations. However, these credentials often lack proper lifecycle management and rotation, creating persistent vulnerabilities. A security leader at a Fortune 500 company acknowledged this challenge: "We aim to rotate secrets annually, but enforcement is difficult across our environment. Some credentials have remained unchanged for years." A security leader at a Fortune 500 company acknowledged this challenge: "We aim to rotate secrets annually, but enforcement is difficult across our environment. Some credentials have remained unchanged for years." Secrets Managers: Not a Complete Answer Even organizations using secrets management solutions remain vulnerable. A study of 2,584 repositories leveraging secrets managers revealed a 5.1% secret leakage rate —far from the near-zero we anticipate. This surpasses the overall GitHub average of 4.6%. Common issues include: Secrets extracted from secrets managers and hardcoded elsewhere
Insecure authentication to secrets managers exposing access credentials
Fragmented governance due to secrets sprawl across multiple secrets managers Secrets extracted from secrets managers and hardcoded elsewhere Insecure authentication to secrets managers exposing access credentials Fragmented governance due to secrets sprawl across multiple secrets managers The Path Forward: Comprehensive Secrets Security As AI-generated code, automation, and cloud-native development accelerate, the report forecasts that secrets sprawl will only intensify. While GitHub's Push Protection has reduced some leaks, it leaves significant gaps—particularly with generic secrets, private repositories, and collaboration tools. "For CISOs and security leaders, the goal isn't just detection—it's the remediation of these vulnerabilities before they're exploited," said Eric Fourrier. "This requires a comprehensive approach that includes automated discovery, detection, remediation, and stronger secrets governance across all enterprise platforms." "For CISOs and security leaders, the goal isn't just detection—it's the remediation of these vulnerabilities before they're exploited," said Eric Fourrier. "This requires a comprehensive approach that includes automated discovery, detection, remediation, and stronger secrets governance across all enterprise platforms." The report concludes with a strategic framework for organizations to address secrets sprawl through: Deploying monitoring for exposed credentials across all environments
Implementing centralized secrets detection and remediation
Establishing semi-automated rotation policies for all credentials
Creating clear developer guidelines for secure vault usage Deploying monitoring for exposed credentials across all environments Implementing centralized secrets detection and remediation Establishing semi-automated rotation policies for all credentials Creating clear developer guidelines for secure vault usage To read the full 2025 State of Secrets Sprawl Report, users can visit GitGuardian.com. GitGuardian.com GitGuardian.com Additional resources GitGuardian - Website GitGuardian - Website GitGuardian - Website The State of Secrets Sprawl 2025 The State of Secrets Sprawl 2025 The State of Secrets Sprawl 2025 About GitGuardian GitGuardian is an end-to-end NHI security platform that empowers software-driven organizations to enhance their Non-Human Identity (NHI) security and comply with industry standards. With attackers increasingly targeting NHIs, such as service accounts and applications, GitGuardian integrates Secrets Security and NHI Governance. GitGuardian GitGuardian This dual approach enables the detection of compromised secrets across your dev environments while also managing non-human identities and their secrets' lifecycles. The platform is the world's most installed GitHub application and supports over 450+ types of secrets, offers public monitoring for leaked data, and deploys honeytokens for added defense. Trusted by over 600,000 developers, GitGuardian is the choice of leading organizations like Snowflake, ING, BASF, and Bouygues Telecom for robust secrets protection. Contact Media Contact Holly Hagerman Connect Marketing hollyh@connectmarketing.com +1(801) 373-7888 This story was distributed as a release by Cybernewswire under HackerNoon’s Business Blogging Program. Learn more about the program here This story was distributed as a release by Cybernewswire under HackerNoon’s Business Blogging Program. Learn more about the program here here here

This is a PR written by or for the company mentioned within it. The writer has a vested interest in the company and products mentioned within.

Toncoin

BeyondTrust

Even

GitHub

HackerNoon

Human

MongoDB

Path

Sense

Slack

Spot

Too Long; Didn't Read

GitGuardian Report: 70% Of Leaked Secrets Remain Active For Two Years, Urging Immediate Remediation

GitGuardian Report: 70% Of Leaked Secrets Remain Active For Two Years, Urging Immediate Remediation

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

ThreatHunter.ai Stands Guard Against Ransomware and Nation-State Threats

Why Crypto Could Outperform Stocks, Real Estate, and Gold in 2026

Avici Raises $3.5 Million, Gives Back 90% of Capital via Futarchy Governance

VSYS Host Launches VSYS Name - an ICANN-Accredited Domain Registrar

Lt. Col Saeed Mohamed Al Shebli on UAE’s Vision for Digital Sovereignty & Cyber Resilience

ThreatHunter.ai Stands Guard Against Ransomware and Nation-State Threats

Why Crypto Could Outperform Stocks, Real Estate, and Gold in 2026

Avici Raises $3.5 Million, Gives Back 90% of Capital via Futarchy Governance

VSYS Host Launches VSYS Name - an ICANN-Accredited Domain Registrar

Lt. Col Saeed Mohamed Al Shebli on UAE’s Vision for Digital Sovereignty & Cyber Resilience

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps