The Secrets Sprawl is Worse Than You Think: Key Takeaways from the 2025 Verizon DBIR

Dwayne McDaniel -

In its 18th edition, Verizon’s 2025 Data Breach Investigations Report (DBIR) delivers a stark confirmation of what security teams have long known: Secrets exposure is rampant, and non-human identities (NHIs), such as tokens, keys, long-lived JWTs, are now a leading cause of data breaches. As developers accelerate into the cloud and organizations increasingly adopt API-driven architectures, the hidden sprawl of unmanaged secrets is becoming a core security concern.

In this post, we break down 10 of the most critical insights from the 2025 DBIR that every engineering leader, DevOps team, and security practitioner should know about secrets, NHIs, and the growing challenge of securing them at scale.

1. Public Repositories Are Leaking an Alarming Volume of Secrets

Verizon's DBIR team reveals a massive footprint of exposed secrets across public GitHub and GitLab repositories. A staggering 441,780 secrets were discovered by scanners monitoring public code hosting platforms. Among these:

  • GitLab tokens alone accounted for 50% of all CI/CD-related secrets.
  • Web application infrastructure secrets—which often include session tokens, API auth headers, and config secrets—represented 39% of the total exposure.

“Some of these secrets can indeed provide attackers with direct access to environments.” — DBIR 2025, p. 17

2. Secrets Remain Public for Months

Secrets, once exposed, don’t get cleaned up quickly. The median time to remediation for secrets leaked to GitHub was a shocking 94 days, according to the DBIR’s data contributors. This is very much in line with the research done by GitGuardian, which shows teams are slow to rotate credentials.

Verzon states this gives adversaries a three-month window, on average, to extract and weaponize these credentials. Worse, leaked credentials often bypass traditional auth mechanisms, offering direct, privileged access into cloud systems and codebases.

3. Google Cloud API Keys Dominate Cloud Secret Leaks

The DBIR reports that 43% of cloud-related secrets exposed in public repos were Google Cloud API keys. These are typically high-privilege, long-lived credentials used by services and infrastructure orchestration pipelines.

This highlights the critical need for automated scanning and short-lived credential models in CI/CD systems and infrastructure-as-code environments.

4. Stolen Secrets Drive Third-Party Breaches

Third-party breaches, often involving supply chain vendors or SaaS platforms, doubled from 15% to 30% year-over-year. A major driver? Leaked secrets and stolen credentials reused across environments.

These compromises often occur in environments outside your control, but using your organization’s credentials, found in public code or collected by infostealers.

5. BYOD and InfoStealers = Double Trouble

Of the compromised systems in infostealer malware logs:

  • 46% were non-managed BYOD or personal machines.
  • Yet these systems had corporate logins present, indicating a mix of work and personal use on the same device.

The result: once compromised, attackers walk away with a hybrid set of secrets—corporate and personal—ideal for lateral movement, phishing, and initial access sales.

6. Secrets Lead the Breach Chain

Credential abuse was the most common initial access vector at 22%, followed by exploitation of vulnerabilities (20%) and phishing (15%). It’s worth noting that phishing often leads to credential abuse, making this vector even more prevalent than raw stats suggest.

Secrets left in the open, such as tokens, passwords, API keys, are often directly responsible for breaches, especially when MFA is not enforced.

7. Leaked Secrets → Ransomware Access

According to Verizon's research, there’s a direct connection between secrets exposure and ransomware attacks:

  • 54% of victims had their domains appear in credential dumps before being breached by ransomware groups.
  • 40% of those victims had corporate email addresses in the leaks.

This correlation strongly supports the rise of access broker marketplaces—where leaked secrets are sold before ransomware is deployed.

8. VPN and Edge Devices = Prime Targets

Secrets used to configure VPNs and edge devices (often hardcoded or stored in local configs) were among the most exploited categories.

  • 22% of exploitation attacks targeted edge devices and VPNs—a nearly 8x increase over the previous year.
  • Many of these secrets go unmonitored and unrotated, living well beyond their intended lifespan.

9. GenAI Services: A New Leak Vector

The report also notes a concerning trend: 15% of employees are accessing GenAI platforms from corporate devices—often with personal email addresses (72%) or non-SAML-authenticated corporate emails (17%).

That means sensitive code or internal documents may be fed into LLMs outside of enterprise control, increasing risk of unintentional data exposure.

10. Secrets Hygiene Is the Achilles’ Heel of NHI Security

Across all of these findings, a common theme emerges: Non-human identities are wildly under-governed.

  • Secrets are long-lived, over-permissioned, and poorly monitored.
  • Lifecycle hygiene—expiration, revocation, rotation—is not enforced.
  • Discovery and inventory of these credentials is patchy at best.

The DBIR’s data makes it clear: we are in the middle of a secrets management crisis, and tokenized identity systems are now the most dangerous insider.

How GitGuardian Can Help

As non-human identities (NHIs), like API tokens, cloud credentials, service accounts, and CI/CD secrets, become the dominant force behind modern application authentication, GitGuardian delivers the visibility and control security teams desperately need.

GitGuardian continuously scans public and private codebases, infrastructure-as-code, Docker images, and more to detect leaked or hardcoded credentials across the full NHI lifecycle. By integrating seamlessly with developer workflows and enforcing secret hygiene, like rotation, expiration, and scope reduction, GitGuardian helps teams prevent credential sprawl, shrink attack surfaces, and reduce time-to-remediation from months to minutes, before attackers exploit your organization's most privileged machine identities.

Final Thoughts

The 2025 DBIR delivers a wake-up call to all of us in security and engineering. If credentials are the new perimeter, secrets are the cracks in the wall. And every crack is an opportunity for an attacker.

As we at GitGuardian and others have long argued, secrets management needs to be treated as a core function for all, not just a developer hygiene issue. That means adopting tools that scan code, environments, and infrastructure in real time. It means enforcing key rotation, visibility, and scope reduction by default.

The bottom line? Secrets are no longer silent enablers—they’re loud, leaky liabilities. And it’s time we built systems that treat them as such. We would be happy to work with you.