Exposed: 12.8 Million Credentials Leaked on GitHub
In 2023, GitHub users inadvertently disclosed approximately 12.8 million credentials and other confidential secrets across more than 3 million public repositories.
Cybersecurity experts at GitGuardian, upon investigating this issue, dispatched 1.8 million cautionary emails to account owners, yet less than 2% promptly remedied the breach.
The exposed secrets encompassed account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, and other data that could facilitate unauthorized access to resources and services, posing threats of data breaches and financial losses.
Sophos’s 2023 report highlights that compromised credentials accounted for 50% of all attacks in the first half of the year, significantly outpacing the exploitation of vulnerabilities, which accounted for 23% of incidents.
GitGuardian emphasizes that the problem of secret leaks on GitHub, the premier platform for code hosting and collaboration, has intensified since 2020.
The highest number of leaks in 2023 were recorded in India, the USA, Brazil, China, France, Canada, Vietnam, Indonesia, South Korea, and Germany.
In terms of industry breakdown, the IT sector experienced the most significant leakage of secrets (65.9%), followed by education (20.1%), with all other industries combined (science, retail, manufacturing, finance, government, healthcare, entertainment, transportation) accounting for about 14% of the leaks.
Specific leaks predominantly included Google API and Google Cloud keys, MongoDB credentials, Telegram bot tokens, MySQL and PostgreSQL credentials, as well as GitHub OAuth keys.
It was noted that only 2.6% of the leaked secrets were revoked within the first hour after the leak, while a staggering 91.6% remained active even after five days. Companies such as Riot Games, GitHub, OpenAI, and AWS demonstrated the best response mechanisms to leaks.
2023 saw a surge in the use of generative AI tools, which also impacted the volume of corresponding secret leaks. GitGuardian recorded an average increase of 1212 times in the number of leaked OpenAI API keys compared to 2022.
In the last month, GitHub activated default protection against the accidental disclosure of secrets to prevent such incidents in the future.
The leakage of millions of secrets through public repositories on GitHub serves as a stern warning to the entire developer community. It underscores the importance of stringent security measures and the dangers of careless handling of confidential data.
Such incidents undermine trust in open-source projects and can lead to financial losses, hacks, and other severe consequences.
Developers must heighten their vigilance, implement robust secret protection practices, and swiftly respond to any leaks. A responsible approach alone will ensure the security of code and the preservation of valuable project data.