Boston, USA, March 11th, 2025 (CyberNewsWire) – GitGuardian, a prominent cybersecurity firm known for developing GitHub’s most widely used application, has recently published its extensive “2025 State of Secrets Sprawl Report,” shedding light on a pervasive security crisis that poses a threat to organizations across the board. The report has revealed a staggering 25% surge in leaked secrets year-over-year, with a whopping 23.8 million new credentials identified on public GitHub repositories in 2024 alone.
Of particular concern to security executives is the fact that 70% of the secrets leaked in 2022 are still active today, effectively expanding the attack surface and heightening the risk by the day. Eric Fourrier, the CEO of GitGuardian, emphasized the gravity of the situation by stating, “The explosion of leaked secrets represents one of the most significant yet underestimated threats in cybersecurity. Attackers do not need advanced skills to exploit these vulnerabilities – a single exposed credential can grant unrestricted access to critical systems and sensitive data.”
The 2024 breach of the U.S. Treasury Department serves as a stark reminder of the potential consequences of such security lapses. A leaked API key from BeyondTrust was all it took for attackers to infiltrate government systems, bypassing millions of dollars’ worth of security investments with a simple credential exposure.
The State of Secrets Sprawl Report identifies several crucial trends that demand immediate attention within the cybersecurity landscape. One key trend is the prevalence of generic secrets, such as hardcoded passwords, database credentials, and custom authentication tokens, which now account for more than half of all detected leaks. Despite GitHub’s Push Protection feature aiding in the detection of known secret patterns, generic secrets pose a significant challenge as they lack standardized patterns that can be easily detected using conventional tools.
Furthermore, the report highlights a concerning truth – a substantial 35% of private repositories analyzed contained at least one plaintext secret, challenging the common belief that private repositories offer a secure environment. AWS IAM keys were found in plaintext in 8.17% of private repositories, significantly higher than the 1.45% prevalence in public repositories. Additionally, MongoDB credentials emerged as the most frequently leaked secret type in public repositories at 18.84%, underscoring the widespread nature of the issue.
Beyond the realm of code repositories, secrets sprawl extends to collaboration platforms and container environments, where security controls are typically weaker, creating more blind spots for potential vulnerabilities. For instance, analysis revealed that 2.4% of Slack channels contained leaked secrets, making it imperative for organizations to address security gaps present in these tools.
Non-human identities (NHIs) have also emerged as a pressing concern, outnumbering human identities in many organizations. However, the lack of proper lifecycle management and rotation for these credentials poses persistent vulnerabilities, as highlighted by a Fortune 500 company’s struggle to enforce annual rotation policies effectively.
Even organizations using secret management solutions are not immune to security risks, with a study indicating a 5.1% secret leakage rate among repositories leveraging secrets managers. Issues such as secrets being extracted from managers and hardcoded elsewhere, insecure authentication leading to exposure of access credentials, and fragmented governance due to secrets sprawl across multiple managers, contribute to the overall vulnerability.
Looking ahead, the report predicts that secrets sprawl will intensify with the proliferation of AI-generated code, automation, and cloud-native development practices. While GitHub’s Push Protection feature has helped mitigate some leaks, it is imperative for organizations to adopt a more comprehensive approach encompassing automated discovery, detection, remediation, and stronger governance of secrets across all enterprise platforms.
In conclusion, the report recommends a strategic framework for organizations to tackle secrets sprawl effectively. This includes deploying monitoring for exposed credentials across all environments, implementing centralized detection and remediation systems, establishing semi-automated rotation policies for all credentials, and providing clear developer guidelines for secure vault usage.
To access the complete 2025 State of Secrets Sprawl Report, users can visit GitGuardian’s website. For more information, additional resources, and details about GitGuardian’s NHI security platform, interested parties can visit GitGuardian’s official website.