GitGuardian has released its 2025 State of Secrets Sprawl Report, and the findings are alarming. A 25% increase in leaked credentials year-over-year has pushed the total number of exposed secrets on public GitHub repositories to 23.8 million in 2024 alone. The most shocking statistic: 70% of secrets leaked in 2022 remain active today, highlighting a massive failure in cybersecurity remediation efforts.
“The explosion of leaked secrets represents one of the most significant yet underestimated threats in cybersecurity,” said Eric Fourrier, CEO of GitGuardian.
Attackers don’t need sophisticated exploits—a single exposed API key can grant unrestricted access to critical systems. The 2024 U.S. Treasury Department breach, enabled by a single leaked BeyondTrust API key, is a stark reminder of the risk. A single leak granted access to government systems, negating millions of dollars in security spending.
If GitGuardian’s new report were a tabloid newspaper, its headline would be something like “Your Secrets Are Out There, Forever.”
Cybercrime’s Evolution: An Interview with GitGuardian’s Soujanya Ain
Cyber Insurance News got an early look at the latest report from GitGuardian and asked Soujanya Ain, Senior Product Manager, about its findings. The report highlights the growing ease of cybercrime, the role of human error, and the urgent need for businesses to treat cybersecurity as a fundamental business risk—not just an IT issue.
The Democratization of Cybercrime
With cybercriminals no longer needing advanced skills, the barrier to entry is lower than ever. We asked Ain whether this shift signals that we’re still in the early stages of a much larger cybercrime wave.
“The democratization of cybercrime means that sophisticated attacks no longer require sophisticated attackers,” Ain explains. “With leaked credentials, even a script kiddie can access enterprise-level systems and move laterally. And with 23.8 million new secrets leaked in a year, it’s a buyer’s market for bad actors.”
In Ain’s estimation, “As cybercrime continues to scale, we’re going to see more traditional criminal enterprises expand into this lucrative, low-risk space. The barrier to entry is dropping, but the cost to businesses is skyrocketing.”
The sheer volume of leaked credentials is fueling a rapid expansion of cybercrime. As Ain points out, the days of needing elite hacking skills are over—access to sensitive systems is now being sold on a mass scale, creating a highly lucrative industry with little risk for attackers.
Human Error: The Weakest Link
One of the most troubling aspects of the report is the role of human error—specifically, weak passwords and poor security practices. We asked Ain whether digital security training should start earlier, similar to how children are taught basic safety rules like looking both ways before crossing the street.
“We don’t teach students at university about digital safety, secure coding—and that’s a massive blind spot,” Ain says. “Developers of all levels, from junior to senior, leak secrets, and a junior dev today is a senior leader tomorrow. If secure coding practices aren’t embedded in education, the problem compounds over time.”
Ain notes that many top Computer Science programs lack dedicated security courses. That means developers enter the workforce without proper training in security best practices. This lack of early education leads to mistakes that can exacerbate cybersecurity risk.
The solution? Ain believes security training must be “visceral.”
“Show developers the real-world consequences of leaked credentials. Simulate breaches. Gamify security. Make it personal. Tell them, ‘This isn’t about some abstract threat, this is about your job, your company, our secrets.'”
Cybersecurity: A Business Continuity Imperative
The report makes it clear that business leaders, CISOs, and executives who fail to take cybersecurity seriously put their organizations at risk. But despite this, many companies still view cybersecurity as an IT issue rather than its own fundamental business concern.
“Secrets security is not an IT problem. It’s a business continuity problem. A risk management problem. A brand reputation problem,” Ain states.
One of the challenges businesses face is the rise of non-human identities (NHIs)—automated accounts, API keys, and cloud services—outnumbering human users by a staggering ratio of 45 to one. This proliferation of secrets has made them the primary attack vector, yet many organizations fail to implement proper security measures.
“Secrets hygiene is often overlooked, creating visibility gaps that attackers exploit,” Ain warns. “The moment leaders start making secrets security a part of their overall IAM strategy—with constant investment, monitoring, and cultural reinforcement—is the moment they start winning, preventing breaches like the Treasury Department’s, and securing their expanding NHI attack surface.”
The Key Findings: The Secrets Sprawl Crisis
Blind Spots: Generic Secrets Fuel the Crisis
GitHub’s Push Protection initiative helps developers detect known secret patterns, but generic secrets—such as hardcoded passwords, database credentials, and custom authentication tokens—now account for 58% of all detected leaks, which means significant cybersecurity risks. These secrets are more challenging to identify because they don’t follow standardized patterns, making them a silent but deadly issue with cyber risk management.
Private Repositories: Not as Private as You Think
Many developers assume that private repositories shield secrets from exposure. That assumption is wrong. The report found that 35% of private repositories scanned contained at least one plaintext secret.
- AWS IAM keys were 5× more common in private repositories (8.17%) than in public ones (1.45%).
- Generic passwords appeared nearly 3× more often in private repositories (24.1%) than in public ones (8.94%).
- MongoDB credentials were the most frequently leaked secret type in public repositories (18.84%).
“Leaked secrets in private code repositories must be treated as compromised,” emphasized Fourrier.
Beyond Source Code: Secrets Sprawl Across Workflows
Secrets are not just leaking from source code. They are hiding in collaboration platforms, container environments, and project management tools—often in places security teams don’t think to look:
- Slack: 2.4% of channels analyzed contained leaked secrets.
- Jira: 6.1% of tickets exposed credentials, making it the most vulnerable collaboration tool.
- DockerHub: 98% of detected secrets were embedded in image layers, with over 7,000 valid AWS keys currently exposed.
The Non-Human Identity Crisis
API keys, service accounts, and automation tokens now outnumber human users in many organizations, but they lack proper lifecycle management. Many of these machine identities are never rotated or revoked, leaving them vulnerable for years.
A security leader at a Fortune 500 company on this cybersecurity risk:
“We aim to rotate secrets annually, but enforcement is difficult across our environment. Some credentials have remained unchanged for years.”
Secrets Managers: Useful, But Not Foolproof
Even organizations that use secrets management solutions are still at risk. A study of 2,584 repositories using secrets managers found a 5.1% secret leakage rate, higher than the overall GitHub average of 4.6%.
Common issues include:
- Secrets extracted from managers but hardcoded elsewhere.
- Insecure authentication exposing access credentials.
- Fragmented governance due to secrets sprawl across multiple managers.
The Path Forward: Fixing the Secrets Sprawl Epidemic
GitGuardian’s report makes it clear: detection alone is not enough. Companies must prioritize remediation to reduce the long-term risks of leaked secrets.
Steps Organizations Should Take Now
- Deploy monitoring for exposed credentials across all environments—not just source code.
- Implement centralized secrets detection and remediation tools.
- Automate credential rotation to reduce reliance on static secrets.
- Develop clear security guidelines for developers on secrets management.
- Expand protection to collaboration tools and container environments where security gaps are most severe.
GitGuardian’s Final Warning
As AI-generated code, automation, and cloud-native development accelerate, secrets sprawl will only worsen. A comprehensive approach is needed to tackle this escalating crisis.
“For CISOs and security leaders, the goal isn’t just detection—it’s the remediation of these vulnerabilities before they’re exploited,” said Fourrier.
As long as secrets continue to leak and remain active, attackers will have an easy way in—and that’s a secret no one wants to keep.
Cyber Insurance News Final Thought on this Cybersecurity Risk
The Real-World Impact
As GitGuardian’s report warns, secrets leakage is not just a technical issue—it is a business crisis. Ignoring secrets sprawl is no longer an option. The question is: Will companies act before it’s too late?
