- Email: info@clearinfosec.com
- 1800 760 5656
In today’s cybersecurity landscape, exposed credentials such as API keys, tokens, passwords, and certificates pose one of the most significant threats to organizational security. While detection capabilities have vastly improved, a worrying trend remains: once credentials are exposed, they often stay valid and unfixed for months or even years. This creates a persistent risk that attackers can exploit repeatedly, long after the original exposure.
This blog unpacks the findings from GitGuardian’s State of Secrets Sprawl 2025 report and explores why exposed secrets remain unrevoked, the dangers this poses, and best practices for mitigating the problem, an alarming percentage of credentials detected as far back as 2022 remain valid today:
GitGuardian’s analysis of millions of public GitHub repositories uncovered that many secrets exposed in 2022 remained valid and active well into 2025. This persistence demonstrates a critical failure in organizational security processes: detection is happening, but remediation is either slow or absent. Here are the key factors contributing to this problem:
Organizations often lack sufficient visibility over their codebases and deployment environments. Secrets might be hardcoded deep within legacy code, or scattered across multiple repositories and environments, making it difficult to find all exposed credentials. Even if automated detection tools are in place, they might not cover all repositories or branches, leading to incomplete awareness.
Remediation is not always straightforward. Rotating or revoking secrets requires updating them across all dependent services and applications. This coordinated update is complex and prone to risk—if a secret is rotated but one system still relies on the old one, it can cause outages or service failures.
Many organizations operate with limited security resources and competing priorities. Consequently, remediation efforts may be deprioritized, especially if the exposed secret appears low risk or the impact of a breach is underestimated.
The credentials that remain valid post-exposure are not trivial or test accounts; rather, they are often keys to critical infrastructure and data:
Databases like MongoDB, MySQL, and PostgreSQL continue to be exposed with valid credentials, allowing attackers potential full read/write access to sensitive data stores.
Cloud service credentials such as API keys and tokens for providers like AWS, Google Cloud, and Tencent Cloud remain active after exposure, putting entire cloud infrastructures at risk.
Access to these services can enable attackers to extract sensitive data, modify configurations, deploy malware, or pivot to other parts of an organization’s network.
Statistics from GitGuardian’s report show alarming trends:
Valid exposed cloud credentials increased from under 10% in 2023 to nearly 16% in 2024.
Credentials leaked for critical services like MongoDB and Google Cloud increased each year, underscoring a growing attack surface.
Beyond the awareness and operational issues, technical challenges play a big role:
Developers sometimes embed secrets directly into source code for convenience, but these secrets can end up committed into public or private repositories and remain unnoticed. These secrets are often hardcoded in numerous places, making identification and revocation a massive, error-prone task.
Older systems may lack the capability to handle ephemeral or short-lived credentials, forcing organizations to use long-lived static credentials, which once exposed, are a persistent risk.
Rotating secrets is often perceived as disruptive to business operations. This can cause downtime, service interruptions, or require coordination across multiple teams, discouraging frequent rotation.
The good news is that modern security practices and technologies can effectively tackle this problem. Organizations must combine visibility, automation, and culture changes to reduce credential persistence risks:
Automated scanning tools should be integrated into the software development lifecycle (SDLC) to continuously detect exposed secrets in code repositories, including branches and forked repositories.
Automating secret rotation and revocation reduces the remediation window. Tools and platforms that integrate with CI/CD pipelines can facilitate seamless secret replacement without manual errors.
Moving to short-lived, ephemeral credentials significantly reduces risk since even if exposed, they expire quickly and are unusable after their short lifespan.
Centralizing secrets in dedicated management platforms (e.g., HashiCorp Vault, AWS Secrets Manager) ensures consistent policy enforcement, audit trails, and easy rotation without scattering credentials in source code.
Educate developers on secure coding practices and implement secret scanning early in the development lifecycle to prevent secrets from being committed in the first place.
Perform periodic audits of secrets and monitor cloud service usage for anomalies that could indicate misuse of exposed credentials.
Exposed credentials are an open door for attackers. The persistence of these credentials long after exposure reflects gaps in organizational processes, tooling, and culture around security.
Organizations must move beyond detection and invest in swift remediation, secret lifecycle management, and secure development practices. The adoption of ephemeral credentials, centralized secret management, and automated remediation will play a critical role in shrinking this persistent attack surface.
By taking these proactive steps, organizations can significantly reduce the risk associated with leaked secrets and enhance their overall security posture in the face of growing cloud and software complexity.
The Hacker News. (2025, May 12). The persistence problem: Why exposed credentials remain unfixed-and how to change that. https://thehackernews.com/2025/05/the-persistence-problem-why-exposed.html