35% of exposed API keys still active, posing major security risks

Nightfall AI’s research revealed that secrets like passwords and API keys were most often found in GitHub, with nearly 350 total secrets exposed per 100 employees every year.

Hidden risks of secret sprawl in cloud and SaaS environments

What’s more concerning is that 35% of all API keys discovered were still active — posing a major risk for privilege escalation attacks, data leaks, data breaches and more. Many of the secrets discovered had already been exposed for several months.

Companies who have embraced modern cloud, SaaS and GenAI environments have only just begun to uncover the hidden risks of secret sprawl, which occurs when sensitive information like API keys or passwords are spread to apps, files and messages where they don’t belong.

From within apps like Slack, GitHub, Jira and Google Drive, threat actors can easily find and leverage company secrets to compromise organizations to a devastating degree, as we’ve seen in numerous high-profile incidents at major brands, such as The New York Times and Sisense. Nightfall’s research aimed to bring this challenge to light and help companies understand where their secrets are sprawled—as well as how they can clean up their tech stack.

In its research, Nightfall scanned hundreds of terabytes of data looking for sensitive secrets — passwords, API keys, database connection strings and cryptographic keys — shared across cloud systems and applications over the past year, and found more than 171,000 secrets exposed across SaaS apps, GenAI tools, email and endpoints.

While GitHub had the highest volume of secret sprawl, 54% of exposed secrets were found in other developer and productivity apps, including Confluence (134 per 100 employees), Zendesk (110), Slack (64) and Google Drive (34). This is notable because gaining visibility into sensitive data across a multitude of different SaaS platforms is a significant challenge for companies.

Passwords were the most commonly exposed secrets

Passwords take the cake by comprising over half (59%) of detected secrets, with API keys following closely behind (39%). To give organizations a more scalable metric, this shakes out to roughly 8 passwords and 7 API keys detected per 100 employees per week. At an enterprise level, this could amount to thousands of secrets sprawled per year.

While Nightfall saw that passwords and API keys had slight variations in where they were sprawled, GitHub is the most likely place to find either of these categories of secrets, with 339 secrets shared per 100 employees per year. Confluence and Zendesk boast a high volume of secrets shared as well, all with over 100 secrets per 100 employees per year.

“Secret sprawl is a pervasive and ever-present problem that companies must address now,” said Rohan Sathe, CTO, Nightfall. “Fortunately, it is easily preventable. It’s important for security teams to know what secrets are being shared and where they’re being shared in order to take action and minimize secret exposure.”

Combatting secret sprawl

Continuous monitoring and automated remediation can dramatically reduce the time it takes to identify and mitigate risk associated with secret sprawl. Nightfall also recommends that companies implement end-to-end encryption, use password managers and rotate API keys regularly to stave off data leaks and breaches. Researchers also highlight the importance of educating employees about the safest ways to share secrets, and enforcing those teachings throughout the year as opposed to with annual security training alone.