12-05-2025
Warning — 23 Million New Plaintext Credentials Leaked Online
23 billion secrets leaked, report confirms.
getty
I won't lie, on May 3, when I reported that 19 billion compromised passwords had been found within criminal forums on both the dark and surface web, I thought that the leaked credentials problem couldn't really get any worse. Within 10 days, I had been forced to revise that viewpoint as the actual number of unique stolen passwords included in that list increased from 1.4 billion to 2.9 billion. Oh, and 14 million stolen credit cards were also included, making things even worse. Given the threat posed by so-called unsophisticated hackers looking for the easiest routes to system compromise, and the role that such password lists play, it's hardly surprising I was concerned. And then, dear reader, I was passed a copy of a new report that revealed a revised and truly concerning number of plaintext credentials leaked publicly. Let me explain why.
Rarely has the opening line of a security analysis struck me as strongly as that of the GitGuardian 'State of Secrets Sprawl 2025' report. I mean, I wasn't surprised to read that 'long-lived plaintext credentials have been involved in most breaches over the last several years,' but knowing the context, it still hit very hard. After all, this is a message I've been trying to get across for years, decades even, and apparently with very little success. The second half of that leading paragraph sums up my concern nicely: 'When valid credentials, such as API keys, passwords, and authentication tokens, leak, attackers at any skill level can gain initial access or perform rapid lateral movement through systems.'
These secrets, these plaintext credentials, should not be leaked. Period. That's pretty obvious to everyone, isn't it? So why, then, according to the GitGuardian analysis, were there a staggering 23,770,171 new hardcoded secrets that had been added to public GitHub repositories in 2024? Sure, it's not in the billions, but it's the context that matters here. It's the kind of credentials, and the fact that this represents an increase of some 25% over the numbers leaked in 2023, that concerns me the most. That, my friends, is genuinely shocking and suggests that lessons are not being learned. Despite GitHub's efforts to prevent such credential leakage, the sprawl of these plaintext secrets is worsening, not improving.
If you are not concerned by this revelation, then, frankly, you need to take a long look at yourself. When you consider that, as Verizon's 2024 Data Breach Investigations Report confirmed, nearly a third of all breaches have employed stolen credentials. Last year alone, Verizon said that 22% of breaches used compromised credentials as the initial access route.
'It is an attacker's favorite way to gain an initial foothold and to move laterally through environments,' GitGuardian warned. I have reached out to GitHub for a statement regarding the leakage of plaintext credentials as detailed by GitGuardian analysts, and will update this article once I have anything further to report.
