Over 29M Secrets Leaked on GitHub in 2025

Security researchers have identified more than 29 million secrets — including hardcoded credentials, API keys and tokens — exposed in public GitHub repositories during 2025. The analysis suggests automated developer tools and AI-assisted commit suggestions are often making the situation worse by introducing or failing to detect sensitive data.

Leaks ranged from plain-text passwords and cloud keys to configuration files that should never have been pushed to public repos. In many cases, commits that contained these secrets came from automated or semi-automated sources: CI/CD scripts, bot accounts, and patches suggested by AI code assistants. Instead of catching mistakes, some of these tools appear to generate or reintroduce sensitive strings as part of suggested changes.

Researchers warn that the availability of such secrets increases the attack surface for opportunistic and targeted attacks. Misconfigured or leaked credentials can give attackers access to cloud resources, databases and third-party services, potentially leading to data breaches, unauthorized infrastructure use and financial exposure.

Developers and teams are being advised to take practical steps: use secret management solutions, rotate exposed keys immediately, enable repository secret scanning, and adopt pre-commit hooks or CI checks that block accidental commits. Organizations should also limit token scopes and enforce least-privilege policies to reduce impact when a secret slips into a repo.

Toolmakers are being urged to improve AI code assistants and automated commit systems to better recognize and avoid handling secrets. Suggestions include integrating secret-detection models into the generation pipeline and warning users when proposed code touches files or patterns commonly associated with credentials.

It’s a reminder that automation and AI can speed development, but they also demand careful guardrails. Treating these systems as partners that need oversight — rather than flawless substitutes for human review — may help shrink the number of secrets escaping into public view.