GitGuardian launched its 2024
edition of the State of Secrets Sprawl report. The study reveals that 12.8M
new secrets occurrences were leaked publicly on GitHub in 2023, +28% compared
to 2022. Remarkably, the incidence of publicly exposed secrets has quadrupled
since the company started reporting in 2021.
The growing
number of code repositories on GitHub, with 50 million new repositories added
in the past year (+22%), increases the risk of both accidental and deliberate
exposure of sensitive information. In 2023 alone, over 1 million valid
occurrences of Google API secrets, 250,000 Google Cloud secrets, and
140,000 AWS secrets were detected.
While the IT
sector, which includes software vendors, is the most affected industry, with
65.9% of all detected leaks, other industries are also impacted. These include
Education, Science & Tech, Retail, Manufacturing, and Finance &
Insurance, which account for 20.1%, 7%, 1.5%, 1.2%, and 1% of leaks,
respectively.
This highlights
the need for increased vigilance and proactive measures to protect sensitive
information across all industries as the risks associated with secret sprawl
continue to grow.
The Security
Gap of Non-Revoked Secrets: A Major Risk for Companies
The research
sheds light on an important security gap: upon discovering an exposed valid
secret, 90% remain active for at least five days, even after the author is
notified. API keys and authentication tokens for major service providers
such as Cloudflare, AWS, OpenAI, or even GitHub are often affected by
non-revoked secrets.
"Developers erasing leaky commits or repositories instead
of revoking are creating a major security risk for companies, which will remain
vulnerable to threat actors mirroring public GitHub activity for as long as the
credential remains valid. These zombie leaks are the worst," said Eric Fourrier, CEO and Founder of
GitGuardian.
To assess
the prevalence of zombie leaks, the study selected a random sample of 5,000
erased commits that had exposed a secret. Of the repositories that hosted
these commits, only 28.2% were still accessible at the time of the study.
This indicates that the remaining repositories were likely deleted or made
private in response to the leak, suggesting that the prevalence of zombie leaks
may be underestimated.
Furthermore,
the study hypothesizes that companies may use DMCA takedowns as a means to
govern leaky repositories over which they do not have control. In support
of this, the study found that in 2023, 12.4% of the 2,050 repositories taken
down by GitHub exposed at least one secret, representing a 37.8% increase from
2020.
These findings
are crucial for grasping the full scope of the secrets sprawl issue. While most
security initiatives focus on detecting leaks, the bottleneck lies in improving
the security posture. Simply alerting developers falls short; what's truly essential
is providing them with the necessary guidance and support to rectify their
mistakes effectively.
"The Toyota breach in 2022, which occurred
after a hacker obtained credentials for one of its servers from source code
published on GitHub, is proof that even five years after a leak, a compromise
can still happen," said Eric Fourrier.
Download the
State of Secrets Sprawl 2024 report here.