Companies’ Code Leaking More Passwords and Secrets

Software code pushed to online code repositories exposed twice as many secrets compared to last year, putting organizations’ security at risk.

Organizations leaked more than 6 million passwords, API keys, and other sensitive data — collectively known as development “secrets” — in 2021, doubling the number from the previous year, according to a new GitGuardian report published today. The report accounted for the fact that more code is being pushed to repositories and better detection capabilities are available.

On average, the company found that three out of every 1,000 commits to GitHub leaked a secret, a frequency 50% higher than 2020. More than half of the secrets consisted of credentials for accessing data storage services, cloud providers, a private encryption key, or a development tool, while another 10% consisted of credentials for messaging systems and version-control platforms.

Leaking sensitive access information to potential attackers undermines the security of corporate networks and infrastructure, says Mackenzie Jackson, a developer advocate at GitGuardian. The term “secret” refers to any digital authentication credentials that “grant access to services, systems, and data,” including API keys, application or service credentials, and security certificates, GitGuardian says.

“In almost all attacks, secrets are used in one way or another, perhaps not as initial access, but certainly to elevate attackers’ privileges and move into different systems,” Jackson says. “We were honestly surprised to see this drastic increase, but obviously it comes down to the increased amount of technology that developers are Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *