CP
cyberpings
PrivacyHIGH

Secrets Sprawl - Key Takeaways for CISOs in 2026

Featured image for Secrets Sprawl - Key Takeaways for CISOs in 2026
THThe Hacker News
GitGuardianAIsecrets sprawlDevOpsDocker
🎯

Basically, secret credentials are leaking faster than ever, especially with AI tools involved.

Quick Summary

Secrets sprawl has surged, with 29 million new hardcoded secrets found in 2025. Security teams must adapt to protect against rising risks. GitGuardian's report reveals critical insights for managing credentials effectively.

What Happened

In 2025, secrets sprawl accelerated dramatically, with GitGuardian's report revealing 29 million new hardcoded secrets discovered across public GitHub. This marked a 34% increase from the previous year, the largest single-year jump ever recorded. The report identified three core trends: AI's impact on credential leaks, the exposure of internal systems, and ongoing challenges in remediation. As organizations increasingly rely on AI and developer tools, the risk associated with secrets sprawl continues to grow.

Who's Affected

The findings indicate that security teams across various sectors are at risk, as secrets are leaking at unprecedented rates. Internal repositories are particularly vulnerable, with 32.2% containing at least one hardcoded secret, compared to only 5.6% in public repositories. This discrepancy highlights a critical oversight in security practices. Additionally, 28% of leaks originated from collaboration tools like Slack and Jira, emphasizing the need for comprehensive monitoring across all platforms where credentials are shared.

What Data Was Exposed

The report shows that AI services alone drove an 81% increase in leaked secrets, with over 1.2 million secrets tied to these services in 2025. Notably, self-hosted GitLab and Docker registries exposed secrets at rates 3-4 times higher than public GitHub. Furthermore, 64% of secrets leaked in 2022 remained valid today, illustrating a significant gap in remediation efforts. This data underscores the critical nature of the credentials being leaked, which often include CI/CD tokens and cloud access credentials that attackers target.

What You Should Do

Organizations must shift their approach to managing secrets. This includes moving beyond mere detection to implementing non-human identity governance. Security teams should adopt strategies that eliminate long-lived static credentials, favoring short-lived identity-driven access. Regularly scanning internal systems, collaboration tools, and developer endpoints for leaks is essential. Additionally, teams should develop remediation workflows that allow for secure credential rotation without disrupting production environments. The evolving landscape of secrets sprawl necessitates a proactive and comprehensive security strategy.

🔒 Pro insight: The rapid increase in AI-related credential leaks signals an urgent need for enhanced governance and monitoring strategies across development environments.

Original article from

THThe Hacker News
Read Full Article

Share

Related Pings

MEDIUMPrivacy

Apple’s Camera Indicator Lights - A Security Review

Apple has introduced a new camera indicator light to enhance user privacy. This hardware feature alerts users when the camera is active, countering potential malware risks. It's a vital step for protecting personal data in a digital age.

Schneier on Security·
MEDIUMPrivacy

Android 17 Enhances Location Privacy with One-Time Access

Google's Android 17 brings new location privacy features, allowing users to control access with a one-time button. This update enhances data protection and transparency.

Help Net Security·
MEDIUMPrivacy

Smart Home Breach - Lack of Government Guidance Exposed

A new study shows that government guidance for smart home breaches is lacking. Users often find themselves without clear steps to recover after a breach. This gap in support can leave households vulnerable and confused. It's time for better guidance on handling smart home security incidents.

Help Net Security·
HIGHPrivacy

Privacy - Dutch Court Threatens xAI Over Grok's Nude Images

A Dutch court has ordered xAI's Grok to stop creating nonconsensual nude images or face hefty fines. This ruling emphasizes the importance of consent in AI technologies and sets a precedent for ethical practices.

The Record·
MEDIUMPrivacy

Apple's Lockdown Mode - No Successful Spyware Hacks Reported

Apple claims no successful spyware attacks have targeted devices using Lockdown Mode. This feature helps protect users from government spyware threats. Stay informed and secure your privacy.

TechCrunch Security·
HIGHPrivacy

AI Frenzy Fuels Credential Chaos - Secrets Sprawl Explained

A massive surge in hardcoded secrets has been reported, with 28.65 million new credentials exposed in 2025. Both public and internal repositories are affected, increasing risks. Organizations must enhance their governance and monitoring to safeguard sensitive data effectively.

Help Net Security·