Over 12 Million Auth Secrets and Keys Leaked on GitHub in 2023

A new report from GitGuardian notes that GitHub users accidentally leaked 12.8 million authentication and sensitive secrets during 2023, highlighting a 28 percent increase over the previous year. The IT sector accounted for the most secrets leaked (65.9%), followed by education, science, retail, manufacturing, etc. The leaked secrets include anywhere from passwords, API Keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, and much more. Specifically, the most common secrets leaked observed by GitGuardian include Google API and Google Cloud keys, MongoDB credentials, OpenWeatherMap and Telegram bot tokens, MySQL and PostgreSQL credentials, and GitHub OAuth keys, which could be used by threat actors to gain access to private resources and services, leading to significant data breaches.

Security Officer Comments:
GitGuardian says that it sent out 1.8 million email alerts to those who exposed secrets. However, only 1.8% of recipients took action. With the number of secrets exposed on GitHub increasing every year by the millions, this highlights the need for developers to take robust security measures when storing and managing their secrets. In general, developers should avoid including secrets in code and utilize secret management tools to provide a secure and central location for storing and managing these credentials. Repositories should also be routinely monitored and scanned to identify leaked secrets and removed once found. Various tools such as gitLeaks are out there that can help assist in automatically scanning repositories and sending alerts about exposed secrets. Organizations that rely on services like GitHub should also train employees on the dangers of mishandling secrets. Routine tabletop exercises can help bring awareness and prevent organizational secrets from being leaked which actors could abuse to gain access to mission-critical resources and systems.