Nightfall AI today published findings from its annual State of Secrets Report. This research revealed that secrets like passwords and API keys were most often found in GitHub, with nearly 350 total secrets exposed per 100 employees every year. What’s more concerning is that 35% of all API keys discovered were still active — posing a major risk for privilege escalation attacks, data leaks, data breaches and more. Many of the secrets discovered had already been exposed for several months.
Companies who have embraced modern cloud, SaaS and GenAI environments have only just begun to uncover the hidden risks of secret sprawl, which occurs when sensitive information like API keys or passwords are spread to apps, files and messages where they don’t belong. From within apps like Slack, GitHub, Jira and Google Drive, threat actors can easily find and leverage company secrets to compromise organizations to a devastating degree, as we’ve seen in numerous high-profile incidents at major brands, such as The New York Times and Sisense. Nightfall’s research aimed to bring this challenge to light and help companies understand where their secrets are sprawled—as well as how they can clean up their tech stack.
In its research, Nightfall scanned hundreds of terabytes of data looking for sensitive secrets — passwords, API keys, database connection strings and cryptographic keys — shared across cloud systems and applications over the past year, and found more than 171,000 secrets exposed across SaaS apps, GenAI tools, email and endpoints. While GitHub had the highest volume of secret sprawl, 54% of exposed secrets were found in other developer and productivity apps, including Confluence (134 per 100 employees), Zendesk (110), Slack (64) and Google Drive (34). This is notable because gaining visibility into sensitive data across a multitude of different SaaS platforms is a significant challenge for companies.
In its research summary, Nightfall breaks its findings down with a focus on passwords and API keys. Here are a few of the findings:
Passwords were the most commonly exposed secrets.
· 59% of the secrets discovered were passwords
· 8 passwords were discovered per 100 employees per week
· Passwords were most commonly found in GitHub (54%), Confluence (23%), Zendesk (15%) and Slack (8%)
API Keys were found across many popular SaaS and development platforms.
· 39% of the secrets discovered were API keys
· API keys were most commonly found in GitHub (71%), Slack (6.6%), Google Drive (6.6%) and Jira (6.6%)
· 7 API keys were discovered per 100 employees per week
· The most risky types of API keys commonly discovered were JSON web tokens, and API keys for Slack, AWS, GitHub, Gitlab, Google Cloud and Azure
“Secret sprawl is a pervasive and ever-present problem that companies must address now,” said Rohan Sathe, co-founder and CTO, Nightfall. “Fortunately, it is easily preventable. It’s important for security teams to know what secrets are being shared and where they’re being shared in order to take action and minimize secret exposure.”
Continuous monitoring and automated remediation can dramatically reduce the time it takes to identify and mitigate risk associated with secret sprawl. Nightfall also recommends that companies implement end-to-end encryption, use password managers and rotate API keys regularly to stave off data leaks and breaches. Nightfall also highlights the importance of educating employees about the safest ways to share secrets, and enforcing those teachings throughout the year as opposed to with annual security training alone.
Learn more about secrets sprawl and Nightfall’s research findings.
