GitHub Secret Leaks Surge: 12.8 Million Exposed in 2023
GitHub has witnessed a surge in secret leaks, with 12.8 million exposed in 2023, marking a 28% increase from the previous year. These secrets, including API keys and credentials, pose significant security risks for companies.
The majority of these leaks occur due to negligent commits or active repositories. In 2023, 7 out of 1000 commits and 4.6% of active repositories exposed at least one secret. Shockingly, 11.7% of contributing authors were involved in these leaks.
Despite notifications, only 2.6% of exposed secrets were revoked within an hour. Worse still, 90% remained active five days later. This inaction leaves companies vulnerable to data breaches and unauthorized access.
The group 'ShinyHunters' has been particularly active, responsible for the most GitHub repository leaks in 2021 and the largest SaaS compromise in history in 2023, exposing about 1.5 billion data records from 760 companies. This marks a significant escalation in both frequency and scale of leaks.
With 50 million new repositories added to GitHub in the past year, and 3 million featuring leaked secrets, the situation is worsening. The IT sector, accounting for 65.9% of all leaked secrets, is particularly at risk. GitGuardian urges swift action to discover and remediate these leaks, emphasizing the importance of effective remediation guidance for developers to mitigate this persistent security threat.
