Detecting leaked credentials is no longer enough. According to GitGuardian’s State of Secrets Sprawl 2025 report, the real crisis is what happens after detection. New findings show that a majority of exposed secrets in public repositories remain valid for years, offering attackers long-term access to sensitive systems—often without any resistance.
The report, based on an analysis of GitHub exposures from 2022 to 2024, found that thousands of leaked credentials, including production API tokens, database credentials, and cloud access keys, are still valid long after discovery. These aren’t harmless test tokens. They grant direct access to live infrastructure, customer data, and mission-critical services.
This persistent exposure reveals two main problems: either companies don’t know their secrets are exposed, or they lack the urgency and tooling to respond. In many cases, credentials aren’t revoked automatically through expiration, nor manually through rotation. Legacy systems, hardcoded credentials, and operational silos all contribute to this silent risk. While detection rates are improving, the failure to remediate keeps the attack surface wide open.
For secrets that are embedded deep in codebases, rotation often requires risky updates across services and environments. Organizations, especially those with limited resources, are forced to triage only the most critical leaks—leaving the rest to quietly fester.
Cloud Credentials Now Lead the Pack in Active Exposures
Between 2022 and 2024, a dramatic shift emerged in the types of credentials being exposed and remaining active. Cloud credentials, including access keys for AWS, Google Cloud, and Tencent Cloud, are now among the most dangerous exposures. In 2023, they represented just under 10% of all still-active exposed secrets; by 2024, that number surged to nearly 16%, reflecting both increased cloud adoption and continued security gaps in managing access.
In contrast, database credentials—once a top concern—have seen improvement. Valid, unremediated database secrets fell from 13% in 2023 to less than 7% in 2024, suggesting that recent attention on database breaches may be driving better security practices. Still, platforms like MongoDB, MySQL, and PostgreSQL remain common sources of leaked and unrecovered credentials.
What’s clear is that as companies adopt more cloud-native architectures, the speed and complexity of development have outpaced traditional secrets management methods. Static credentials—especially when hardcoded—are increasingly dangerous. Attackers are watching public repositories closely, and secrets often remain accessible for months or even years without being revoked.
GitGuardian’s findings underscore the need to transition toward short-lived, dynamic credentials and automated remediation tools. Secret managers and integrations that rotate keys on schedule or at every deployment are no longer optional—they’re essential.
Practical Strategies for High-Risk Exposures
To reduce risk, organizations must focus on immediate rotation of exposed secrets and a shift toward automated credential lifecycle management:
- MongoDB: Use IP allowlists and enable audit logging. For Atlas, rotate credentials via API in CI/CD pipelines.
- Google Cloud: Revoke exposed keys, switch to Workload Identity Federation or service account impersonation, and enforce least-privilege policies.
- AWS IAM: Replace static access keys with temporary credentials using IAM roles and AWS STS. Use IAM Roles Anywhere for external services and enable CloudTrail for suspicious activity tracking.
As the report makes clear, valid credentials exposed in public code remain one of the most under-addressed cybersecurity threats today. While breach detection is improving, remediation remains painfully slow—leaving attackers with all the time they need.
