Manage leaked secrets

Most application and infrastructure systems rely on secrets like passwords, API keys, and tokens to authenticate users and services. When secrets leak through code repositories, documentation, or process shortcuts, organizations face unauthorized access, regulatory fines, and negative business impact.

Secure secret management must balance security and developer productivity. When organizations make secure access too difficult, developers bypass security controls and create the exact risks that security measures intended to prevent. Developers might hardcode secrets into source code, share credentials through insecure channels, or store secrets in documentation.

Why manage leaked secrets systematically

Prevent financial damage: Leaked secrets are costly to organizations. Data breaches resulting from exposed credentials impose massive financial burdens through incident response, forensics, legal fees, regulatory fines, and customer notification.

Attackers exploit secrets: GitHub reported 39 million secrets leaked in public repositories during 2024, with attackers discovering exposed credentials every 30 seconds on average. Automated scanning tools continuously monitor repositories, allowing attackers to exploit leaked credentials within hours. Tools like HCP Vault Radar automate the detection and identification of unmanaged secrets in your code so that security teams can take appropriate actions to remediate issues.

Process friction undermines security: When secure secret access requires complex approvals or lacks centralized management, teams circumvent security controls by hardcoding credentials, sharing passwords, or storing secrets in documentation. This friction creates more security risks than it prevents and reduces overall organizational productivity.

Insider threats increase breach risk: Organizations that fail to implement separation of duties, least-privilege access controls, and comprehensive audit trails face significant risk from both malicious insiders and accidental exposure. Insider threats account for a significant portion of data breaches, with inadequate access controls enabling both intentional theft and unintentional exposure.

How do secrets leak?

The following are common ways organizations leak secrets:

• Code repositories: Developers accidentally commit API keys, passwords, and tokens directly into source code. Once secrets are in code and pushed to repositories, either public or private, they become accessible to anyone with repository access and remain in the commit history until someone removes them.

• Process friction: When the ability to securely access a secret is so difficult, people find a way to bypass the process to retrieve the secret. Process friction harms operational excellence at organizations, effectively lowering the security posture.

  The following are examples of process friction that lead to leaked secrets:

  • Overly complex or lengthy approval processes

  • Lack of documentation or training on how to securely access secrets

  • Lack of centralized management services such as secrets management or single sign-on (SSO)

  • Secret sprawl when teams manage secrets in several locations with no single source of truth

    Mitigate process friction with a centralized secret management system like Vault, create documentation and training for secret lifecycle management, and reduce the risk of human error by automating the use of secrets through CI/CD systems.

• Insider threats: An employee or ex-employee, either intentionally or unintentionally, leaks sensitive information.

  An intentional insider threat is when someone purposely steals sensitive material, like an employee taking private encryption keys. An unintentional insider threat is someone who accidentally exposes sensitive information, such as pushing a secret to a public repository or is socially engineered to provide credentials to bad actors.

  The chance of insider threats increases when there is process friction. An example is an environment that does not use single sign-on and requires users to have different logins for each system. When a user leaves the organization, a security team has to shut down accounts in every system. If the account for one system is missed, that user might be able to access the system.

• Improper use of AI tools: AI increases developer productivity, but also increases the risk of leaked secrets. A developer may use an AI tool to generate code that requires a secret. The AI tool may mishandle the secret, storing it in logs or using it to train future models.

Impact on the organization

Along with technical implications of leaked secrets, there are also major business and professional implications. When organizations leak secrets, they often experience a loss of trust. Losing trust can lead to application downtime, and the loss of new and existing customers which may result in a loss of revenue.

From 2015 through 2024, the three major credit bureaus all suffered major data breaches. The breaches exposed the personal information of millions of people. These breaches caused a loss of trust in the credit bureaus, but it also led to the United States government passing the Economic Growth, Regulatory Relief, and Consumer Protection Act. This bill requires the credit bureaus to provide free credit freezes and fraud alerts to consumers, among other requirements. Credit freezes had been a source of revenue for the credit bureaus.

A popular cryptocurrency exchange suffered a data breach stemming from insider threats. The company expects to pay up to $400 million to make up for the loss of customer funds.

In addition to the loss of revenue, individuals have been fired, fined, and even had lawsuits brought against them, resulting in prison sentences for attempting to cover up data breaches.

HashiCorp resources

Related WAF guidance:

• Grant least privilege for comprehensive access control patterns
• Store static secrets for secure storage best practices
• Rotate secrets for credential rotation strategies

External resources

• IBM's 2024 Cost of a Data Breach Report
• GitHub found 39M secret leaks in 2024
• AI programming copilots are worsening code security and leaking more secrets
• Economic Growth, Regulatory Relief, and Consumer Protection Act

Next steps

In this overview of Managing leaked secrets, you learned why systematic secret management matters, how secrets leak through code exposure and process friction, and the business impact of data breaches. Managing leaked secrets is part of the Secure systems pillar.

Follow the links below to learn specific strategies to prevent, detect, and remediate leaked secrets.

• Prevent leaked secrets with access controls to limit who can access secrets through separation of duties, least privilege, SSO, and zero trust access

• Prevent leaked secrets with credential management to eliminate static credentials through dynamic secrets and centralized management

• Detect leaked secrets across version control, documentation, and storage with automated scanning

• Remediate leaked secrets following NIST guidelines and rotate compromised credentials