On GitHub in 2023, users accidentally disclosed 12.8 million secrets in more than 3 million public repositories

• Євгеній Демківський
• 14.03.2024
• Categories: News
• Tags: Cybersecurity, GitHub, Software

In 2023, GitHub leaked authentication keys and other information, and most developers did not take care to recall them even after being informed of the incident, TechRadar reports.

The study was conducted by GitGuardian, a project that helps secure software development by automating the detection and elimination of information leaks.

The project’s report claims that in 2023, GitHub users accidentally disclosed 12.8 million secrets in more than 3 million public repositories.

These secrets include account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, and more.

During the development phase, many IT professionals directly code various authentication secrets to make their lives easier.

However, they often forget to remove the secrets before publishing the code to GitHub. Thus, if attackers find out about these secrets, they will have easy access to private resources and services, which can lead to data leaks and other similar incidents.

The largest number of leaks was recorded in India, followed by the United States, Brazil, China, France, and Canada. The vast majority of leaks originated in the IT industry (65.9%), followed by education (20.1%). The remaining 14% are distributed among science, retail, manufacturing, finance, public administration, healthcare, entertainment, and transportation.

Only 2.6% of secrets are revoked within an hour – almost all the rest (91.6%) remain valid even after five days, when GitGuardian stops tracking their status. To make matters worse, the project has sent 1.8 million emails to various developers and companies alerting them to its findings, and only 1.8% have responded by removing secrets from the code.

Riot Games, GitHub, OpenAI, and AWS were included in the list of companies with the best response mechanisms.