The Expanding Threat Landscape: How Digital Secrets Sprawl Fuels Modern Cyberattacks

The Rising Tide of Exposed Secrets

In today’s interconnected digital ecosystem, sensitive information is leaking beyond traditional boundaries at an alarming rate. What once remained confined to code repositories now spreads across diverse platforms, creating a sprawling attack surface that threat actors are eagerly exploiting. This year has witnessed multiple high-profile incidents demonstrating how exposed credentials, API keys, and authentication tokens are becoming the weakest link in organizational security., according to recent studies

The Rising Tide of Exposed Secrets
Beyond Code Repositories: The New Frontier of Data Exposure
Case Studies: When Secrets Turn Dangerous
Supply Chain Vulnerabilities Multiply Risks
The AI Acceleration Factor
Building Better Defenses: From Hygiene to Damage Limitation

Beyond Code Repositories: The New Frontier of Data Exposure

While platforms like GitHub have long been known hunting grounds for exposed secrets, security researchers are discovering sensitive data in increasingly unexpected places. The recent attacks against Salesforce instances reveal how customer support cases have become repositories for confidential information. Attackers compromised multiple organizations through stolen OAuth tokens from integrated third-party applications, accessing not just sales data but additional secrets that put downstream customers at risk.

Guillaume Valadon, security researcher at GitGuardian, emphasizes that both cybercriminals and nation-state actors are capitalizing on what he terms “bad secret hygiene” to advance their campaigns. “They know that secrets are everywhere,” Valadon states, highlighting the pervasive nature of the problem., according to technology insights

Case Studies: When Secrets Turn Dangerous

The attack campaign tracked as UNC6395 demonstrates the cascading effects of exposed secrets. Beginning with a compromised GitHub account, attackers accessed private repositories containing OAuth tokens for the Salesloft Drift application. These tokens provided entry into multiple organizations’ Salesforce instances, where they discovered technical support cases containing logs, credentials, and over 100 API tokens submitted by customers for troubleshooting purposes., according to further reading

Cloudflare’s disclosure following the incident revealed the unexpected places sensitive data can surface. The company warned that “anything shared through this channel should now be considered compromised,” despite finding no evidence of malicious activity after rotating the exposed tokens.

Supply Chain Vulnerabilities Multiply Risks

The consequences of secret sprawl extend far beyond individual organizations. The recent Red Hat breach illustrates how exposed secrets create downstream risks for entire customer ecosystems. When threat actors compromised Red Hat’s GitLab instance, they accessed thousands of private repositories and allegedly stole customer engagement reports containing access tokens. The criminal group behind the breach claimed to have used these secrets to compromise one of Red Hat’s customers, though this remains unverified.

Further research from Wiz uncovered additional supply chain risks in developer tools. Their investigation of Visual Studio Code marketplaces revealed more than 550 validated secrets from hundreds of extension publishers. These included access tokens for the marketplaces themselves, potentially enabling threat actors to tamper with extensions and launch widespread supply chain attacks.

AI provider secrets from OpenAI, Google Gemini, and Anthropic
Cloud platform access credentials
Marketplace publishing tokens with extensive privileges

The AI Acceleration Factor

The proliferation of AI coding assistants is exacerbating the secrets management crisis. Rami McCarthy, principal security researcher at Wiz, notes increased adoption has led to “bad patterns of secrets management,” including storing plaintext secrets in configuration files. The volume of code being produced, combined with non-professional developers using these tools without security knowledge, creates perfect conditions for secret exposure.

Carole Winqwist, GitGuardian’s CMO, confirms the worrying trend: “It’s getting worse every year, for different reasons.” She highlights additional concerns with AI infrastructure, noting that “the Model Context Protocol layer is a nightmare of exposure because people are not configuring them correctly.”, as as previously reported

Building Better Defenses: From Hygiene to Damage Limitation

Security experts recommend a two-pronged approach to combat secret sprawl: improving secret hygiene practices and reducing the potential damage from exposed secrets. Effective monitoring and scanning must extend beyond internal development environments to external resources like application marketplaces and even communication platforms.

Organizations can implement several crucial measures:

Deploy short-term credentials with limited privileges
Restrict token validity to specific regions or IP addresses
Eliminate secret sharing between test and production environments
Implement comprehensive scanning across all data repositories

Winqwist emphasizes the importance of addressing over-privileging: “When they give a key to a system or a third-party, companies tend to over-privilege it because it’s easier that way. The worst is, a lot of organizations use the same key for test environments and production environments. And all of this is malpractice.”

As digital transformation accelerates and AI tools become more integrated into development workflows, the challenge of containing secret sprawl will only intensify. Organizations must prioritize comprehensive secrets management as a fundamental security requirement rather than an afterthought in their development lifecycle.