March 12, 2024 at 11:25AM
GitGuardian reported that during 2023, 12.8 million sensitive secrets were accidentally exposed in over 3 million public repositories on GitHub, with the majority remaining valid after five days. The exposed secrets included account passwords, API keys, and certificates, posing significant security risks. The leakiest countries included India, the United States, and Brazil, with the IT sector accounting for 65.9% of the leaks. Additionally, AI-related secrets, such as OpenAI API keys, saw a significant increase in exposure, highlighting the need for improved security measures.
Key takeaways from the meeting notes:
– GitHub users accidentally exposed 12.8 million authentication and sensitive secrets in over 3 million public repositories during 2023, with a majority remaining valid after five days.
– Cybersecurity experts at GitGuardian sent out 1.8 million email alerts to those who exposed secrets, with only 1.8% taking quick action to correct the error.
– The exposed secrets include account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, and other sensitive data, posing a risk of data breaches and financial damage.
– Compromised credentials accounted for 50% of the root cause for all attacks recorded in the first half of 2023, according to a Sophos report.
– The “leakiest” countries in 2023 were India, the United States, Brazil, China, France, Canada, Vietnam, Indonesia, South Korea, and Germany.
– The IT sector accounted for the majority (65.9%) of the leaked secrets, followed by education (20.1%), with other sectors combined accounting for 14%.
– GitGuardian detected about 45% of all secrets using generic detectors.
– A significant number of specific secrets, including Google API and Cloud keys, MongoDB credentials, OpenWeatherMap and Telegram bot tokens, MySQL and PostgreSQL credentials, and GitHub OAuth keys, were exposed.
– Only 2.6% of the exposed secrets were revoked within the first hour, while 91.6% remained valid after five days.
– Riot Games, GitHub, OpenAI, and AWS have effective response mechanisms to detect and remediate bad commits.
– Generative AI tools experienced explosive growth in 2023, leading to a significant increase in exposed AI API keys on GitHub.
– OpenAI API key leaks on GitHub increased 1,212x compared to 2022, with an average of 46,441 API keys leaked per month.
– GitHub enabled push protection by default to prevent accidental exposure of secrets when pushing new code to the platform.