Understanding your organization's exposure to secret leaks

39 million secrets leaked last year. Are yours safe? Here’s what you should know.

Secrets—such as API keys, passwords, tokens, encryption keys, and other credentials—are essential for modern software development. Developers frequently interact with credentials throughout the software development process—they securely connect your applications with critical infrastructure, databases, cloud services, and third-party APIs. However, keeping secrets safe can be challenging. Without strict controls and automated safeguards, these credentials can inadvertently end up in repositories, logs, or other unsecured locations, increasing the risk of exposure.

In 2024 alone, we detected more than 39 million leaked secrets on GitHub. According to the IBM Cost of Data Breach Report (2024), breaches involving compromised credentials cost organizations an average of $4.88 million per incident—a 10% increase from the previous year.

The impact of leaked secrets is growing, and as pressure to rapidly deliver software intensifies, organizations must adopt proactive security without burdening developers.

This article will help you understand how secret leaks occur, their financial and operational impact, and how to assess your organization’s unique risk profile. For current GitHub customers, we’ll also highlight the new secret risk assessment tool, which provides real-time insights into potential vulnerabilities within your codebase—helping teams take proactive security measures.

Are you a current GitHub customer? Have an organization admin run a secret risk assessment to see your organization's secret leak footprint.

How do secrets get leaked?

Secret leaks commonly occur when credentials are inadvertently committed to repositories, mistakenly stored in logs, or exposed through misconfigured cloud environments. Attackers typically discover these secrets by scanning public repositories, exploiting misconfigurations, or through phishing and social engineering to infiltrate networks.

Once attackers gain access to these leaked credentials, they can move undetected through your systems, escalating privileges, accessing sensitive information, or even deploying ransomware. For instance, the 2022 LastPass breach began with attackers gaining access to a single compromised credential, ultimately leading to extensive data exposure and untold financial losses.

The hidden costs of data exposure

The true cost of data exposure extends far beyond immediate financial losses. As if a $4.88 million price tag per incident weren’t damaging enough, organizations also face consequences that go beyond financial impact. When sensitive information such as proprietary data, financial records, or customer details is compromised, the resulting damage can severely erode customer and partner trust. According to the Ponemon Sullivan Privacy Report, “65% of data breach victims lost trust in an organization as a result of a breach.”

Data breaches don’t just harm external reputation and finances—they disrupt internal operations as well. Organizations must redirect significant resources toward remediation and investigations, consuming valuable time and derailing progress on key business goals. Ultimately, the intangible costs—loss of trust, disrupted productivity, and strained relationships—can have an even greater and longer-lasting impact than the immediate financial losses.

How to analyze your organization’s risk of secret leaks

Understanding and quantifying your organization's exposure to secret leaks is essential for strengthening your security posture and preventing breaches before they occur.

Factors that increase risk:

Complexity of credential usage: Organizations using a wide variety of credentials across numerous repositories, cloud integrations, and third-party services inherently have more secrets to manage, increasing the likelihood of accidental exposure.
Developer access and credential use: Companies with numerous developers requiring regular access to sensitive credentials face greater exposure risk, particularly when secret rotation processes—periodically updating or replacing credentials to limit their lifetime and reduce exposure risk—are manual or inconsistent.
Deployment frequency and speed: Organizations rapidly shipping new code are at heightened risk, as fast-paced development cycles increase the chance of secrets being inadvertently included or exposed.
Manual versus automated processes: Companies relying heavily on manual checks are more vulnerable compared to those employing integrated, automated security measures.
Open source and public repositories: Contributing to public repositories or sharing code between private and public environments increases the chance of inadvertently exposing secrets. Automated scanning tools regularly monitor public repositories, making exposed credentials quickly discoverable and potentially exploitable.

Quantifying your organizations risk

Inventory audits: Continuously identify and catalog secrets used across your codebase, infrastructure, and workflows.
Incident history analysis: Examine past incidents to spot patterns and common weaknesses.
Benchmarking against industry standards: Compare your secret management practices against established security standards such as the OWASP Application Security Verification Standard (ASVS), NIST guidelines, and GitHub's documentation on keeping your credentials secure. Gaps in compliance with these guidelines may indicate areas of heightened risk.
Security training completion: Regularly audit developer participation and completion rates for security training and education programs. Organizations with inconsistent or incomplete training practices are more susceptible to secret leaks.

By implementing these strategies, you can improve your understanding of your organization's secret exposure. Identifying and quantifying your risk level is a critical step toward strengthening your security posture and ensuring alignment with your development processes.

Current GitHub customers: Quickly assess your secret exposure

GitHub’s secret risk assessment provides immediate, aggregated insights into your organization's exposure to leaked credentials. It helps you identify occurrences of publicly exposed secrets, evaluate internal exposure, and pinpoint the most common credential types at risk. Admins can run this assessment directly from their organization’s ‘Security’ tab, enabling rapid action to protect your organization from breaches.

Share this link with an org admin to run a secret risk assessment now.

Throughout this article, we've examined the growing risks associated with secret leaks, including how quickly leaked credentials can escalate into costly breaches and the significant, long-term impacts on customer trust and operational productivity.

If you want to go beyond understanding your organization’s exposure and learn more about proactive security measures, check out our in-depth eBook, Secret Scanning: A Key to Your Cybersecurity Strategy, where you'll discover:

Comprehensive secrets management approaches.
Key principles to enhance your organization's security posture.
Practical guidance on implementing or improving your secrets management processes.

Additionally, check out GitHub Secret Protection to learn how you can prevent secrets from being leaked across your enterprise and have your developers ship secure code, by default.

Want to learn more about the strategic role of AI and other innovations at GitHub? Explore Executive Insights for more thought leadership on the future of technology and business.