The only secure way to remediate an exposed API key or password is by rotating that secret’s value. But how often are developers and security teams actually rotating leaked secrets?
Using data from our tool Forager, we tracked 10,000 leaked secrets from public GitHub repositories for one month to understand how users responded.
74% of all leaked keys were still live/valid 31 days after being leaked.
If a key was revoked, the developer most likely revoked it in the first 3 days.
63% of files exposing live/valid secrets were still public and continued to expose the live/valid secret on GitHub, 31 days after exposure.
If a developer unpublished a file containing their secret, they most likely unpublished within the first week of exposure. Only 17% of all files containing a secret were unpublished; the rest remained public.
In more than 50% of cases when exposed keys were taken down off GitHub, they remained live/valid. This means a developer unpublished/deleted the file exposing the secret, but did not rotate the leaked key. This reflects a fundamental misunderstanding of how to remediate a leaked credential.
Unfortunately, these results align very closely to other analyses we’ve done as well as anecdotal evidence from our community.
How did we research?
TruffleHog tracked 10,000 live secrets within 9,399 unique public GitHub files across a 31 day research period.
We generated the list of 10,000 live secrets by monitoring GitHub’s public event feeds for commits containing secrets to all public repositories from Sep 28, 2023 to October 17, 2023.
Then we tracked each secret for 31 days since the initial exposure date. (For secrets exposed on September 28, we tracked them until October 29. For secrets exposed on October 17, we tracked them until November 17.)
Every day, we checked secrets for three things:
Is the file containing the leaked key still available on GitHub?
If the file is still available on GitHub, has the key been removed?
Has the key been rotated? Or is it still live/valid?
Revoke more keys. It’s commendable that 25% of developers revoke leaked keys within 31 days of their exposure; however, as an industry we need to push that number higher. We launched Forager to help alert users to leaked keys and HowToRotate.com to help users understand how to rotate their keys. Other organizations have launched similar initiatives to help promote key revocation.
The majority of developers who unpublished files containing exposed secrets did not revoke the leaked keys. As mentioned in previous articles (here and here), the risks associated with exposed keys do not magically disappear when the file exposing them is removed. Instead, attackers could still leverage those secrets for malicious purposes. We need to actively educate developers and security professionals about why key rotation is important and provide them with tools to make the rotation process easy.