GitHub users accidentally exposed 12.8 million authentication keys and sensitive data across more than 3 million public repositories during 2023, with the vast majority remaining valid after five days. This is a reflection of the fact that cybersecurity experts at GitGuardian sent 1.8 million free email alerts to those who exposed secrets and found that only 1.8% of those contacted took quick action to correct the error.
Exposed secrets include account passwords, API keys, Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates, encryption keys, cloud service credentials, OAuth tokens, and other sensitive data that can give external actors unlimited access to various private resources and services, leading to data breaches and financial damages.
GitGuardian claims that secret exposure on GitHub, the world’s most popular code hosting and collaboration platform, has been on a negative trend since 2020.
The “biggest leaking” countries in 2023 were India, the United States, Brazil, China, France, Canada, Vietnam, Indonesia, South Korea and Germany.
In terms of which sectors have leaked the most secrets, IT tops the list with the most at 65.9%, followed by education with a notable 20.1%, and all others combined (science, retail, manufacturing, finance, public administration, health, entertainment, transportation) representing 14%.
The automated digital secrets detection and remediation platform’s generic detectors captured about 45% of all sensitive data the company detected in 2023. Specific detectors that can identify leaked secrets in more tangible categories indicate massive exposure of the company’s API. Google and Google Cloud keys, MongoDB credentials, OpenWeatherMap and Telegram bot tokens, MySQL and PostgreSQL credentials, and GitHub OAuth keys.
According to GitGuardian, 2.6% of exposed secrets are revoked within the first hour, but a staggering 91.6% remain valid even after five days, when the platform stops monitoring their status.
According to the company, Riot Games, GitHub, OpenAI and AWS appear to have the best response mechanisms to help detect incorrect commits (structural units) and remedy the situation.
Generative AI tools continued their explosive growth in 2023, also reflected in the number of relevant secrets exposed on GitHub last year. GitGuardian saw a massive 1,212x increase in the number of OpenAI API keys leaked on GitHub compared to 2022, exposing an average of 46,441 API keys per month, reaching the highest growth data point in the report.
OpenAI is known for products like ChatGPT and DALL-E, which have widespread use beyond the technology community. Many companies and employees enter sensitive information into ChatGPT prompts, and exposing these keys is extremely risky.
The open-source AI model repository HuggingFace has seen a sharp increase in secret leaks, which is directly linked to its growing popularity among AI researchers and developers.
Other AI services such as Cohere, Claude, Clarifai, Google Bard, Pinecone and Replicate have also had secret leaks, albeit at a much lower level.
While those using AI services need to better protect their secrets, GitGuardian says the technologies can also be used to detect and protect secrets. The company claims that large language models (LLMs) can help categorize leaked secrets quickly and with fewer false positives. However, the enormous operational scale, cost and time considerations, and identification efficiency are limiting factors that keep such efforts challenging, at least for now.
Last month, GitHub enabled push protection by default to prevent accidental exposure of secrets when pushing new code to the platform.
Source: CisoAdvisor, GitGuardian
