Teacher
Professional
- Messages
- 2,670
- Reaction score
- 776
- Points
- 113
Millions of leaked keys, passwords, and tokens have become prime loot for cybercriminals.
In 2023, GitHub users inadvertently released about 12.8 million credentials and other sensitive secrets in more than 3 million public repositories.
Security specialists from GitGuardian, investigating this problem, sent 1.8 million warning emails to account owners, but less than 2% of them promptly fixed the leak.
Among the revealed secrets were account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, and other data that makes unauthorized access to resources and services possible, which entails the risk of data leakage and financial losses.
Sophos 2023 report indicates that compromised credentials caused 50% of all attacks in the first half of the year, significantly outstripping the exploitation of vulnerabilities responsible for 23% of cases.
GitGuardian emphasizes that the problem of secret leaks on GitHub, the most popular platform for code hosting and collaboration, has worsened since 2020.
Millions of secrets revealed on GitHub every year
Most of the leaks in 2023 were recorded in India, the United States, Brazil, China, France, Canada, Vietnam, Indonesia, South Korea and Germany.
By industry, most secrets were leaked from the IT sector (65.9%), followed by education (20.1%), and all other industries combined (science, retail, manufacturing, finance, public administration, healthcare, entertainment, transport) account for about 14% of leaks.
Specific leaks are dominated by Google API and Google Cloud keys, MongoDB credentials, Telegram bot tokens, MySQL and PostgreSQL credentials, and GitHub OAuth keys.
It was observed that only 2.6% of leaked secrets were revoked in the first hour after the leak, while a staggering 91.6% remained active even after five days. Companies such as Riot Games, GitHub, OpenAI, and AWS have demonstrated the best mechanisms for responding to leaks.
In 2023, there was an explosive increase in the use of generative AI tools, which also affected the number of leaks of relevant secrets. So, GitGuardian recorded an average increase in the number of leaked OpenAI API keys by 1212 times compared to 2022.
Last month, GitHub activated protection against accidental disclosure of secrets by default to prevent similar incidents in the future.
The leak of millions of secrets through public repositories on GitHub serves as a serious warning to the entire developer community. This shows how important it is to be strict about security, not allowing careless handling of confidential data.
Incidents of this kind undermine the credibility of open source projects and can lead to financial losses, hacks, and other serious consequences.
Developers need to increase their vigilance, implement reliable practices for protecting secrets, and respond quickly to any leaks. Only a responsible approach will ensure the security of the code and the safety of valuable project data.
In 2023, GitHub users inadvertently released about 12.8 million credentials and other sensitive secrets in more than 3 million public repositories.
Security specialists from GitGuardian, investigating this problem, sent 1.8 million warning emails to account owners, but less than 2% of them promptly fixed the leak.
Among the revealed secrets were account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, and other data that makes unauthorized access to resources and services possible, which entails the risk of data leakage and financial losses.
Sophos 2023 report indicates that compromised credentials caused 50% of all attacks in the first half of the year, significantly outstripping the exploitation of vulnerabilities responsible for 23% of cases.
GitGuardian emphasizes that the problem of secret leaks on GitHub, the most popular platform for code hosting and collaboration, has worsened since 2020.
Millions of secrets revealed on GitHub every year
Most of the leaks in 2023 were recorded in India, the United States, Brazil, China, France, Canada, Vietnam, Indonesia, South Korea and Germany.
By industry, most secrets were leaked from the IT sector (65.9%), followed by education (20.1%), and all other industries combined (science, retail, manufacturing, finance, public administration, healthcare, entertainment, transport) account for about 14% of leaks.
Specific leaks are dominated by Google API and Google Cloud keys, MongoDB credentials, Telegram bot tokens, MySQL and PostgreSQL credentials, and GitHub OAuth keys.
It was observed that only 2.6% of leaked secrets were revoked in the first hour after the leak, while a staggering 91.6% remained active even after five days. Companies such as Riot Games, GitHub, OpenAI, and AWS have demonstrated the best mechanisms for responding to leaks.
In 2023, there was an explosive increase in the use of generative AI tools, which also affected the number of leaks of relevant secrets. So, GitGuardian recorded an average increase in the number of leaked OpenAI API keys by 1212 times compared to 2022.
Last month, GitHub activated protection against accidental disclosure of secrets by default to prevent similar incidents in the future.
The leak of millions of secrets through public repositories on GitHub serves as a serious warning to the entire developer community. This shows how important it is to be strict about security, not allowing careless handling of confidential data.
Incidents of this kind undermine the credibility of open source projects and can lead to financial losses, hacks, and other serious consequences.
Developers need to increase their vigilance, implement reliable practices for protecting secrets, and respond quickly to any leaks. Only a responsible approach will ensure the security of the code and the safety of valuable project data.
