Exposed Secrets in Public GitLab Repositories
Summary
Hide ▲
Show ▼
A security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains in public GitLab repositories. The scan, conducted using the TruffleHog tool, revealed a significant number of valid credentials, including API keys, passwords, and tokens. The findings highlight the ongoing risk of sensitive data exposure in public code repositories. The researcher also found that many of these secrets were relatively new, with some dating back to 2009 but still valid. The most common leaked secrets were Google Cloud Platform (GCP) credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys.
Timeline
-
28.11.2025 19:43 1 articles · 23h ago
Security Engineer Discovers 17,000 Exposed Secrets in GitLab Repositories
A security engineer scanned 5.6 million public GitLab repositories and discovered more than 17,000 exposed secrets. The scan revealed a significant number of valid credentials, including API keys, passwords, and tokens. The most common leaked secrets were GCP credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys. The researcher used automation to notify affected parties and collected $9,000 in bug bounties.
Show sources
- Public GitLab repositories exposed more than 17,000 secrets — www.bleepingcomputer.com — 28.11.2025 19:43
Information Snippets
-
The scan of 5.6 million public GitLab repositories revealed 17,430 verified live secrets.
First reported: 28.11.2025 19:431 source, 1 articleShow sources
- Public GitLab repositories exposed more than 17,000 secrets — www.bleepingcomputer.com — 28.11.2025 19:43
-
The scan was conducted using the TruffleHog open-source tool and AWS services.
First reported: 28.11.2025 19:431 source, 1 articleShow sources
- Public GitLab repositories exposed more than 17,000 secrets — www.bleepingcomputer.com — 28.11.2025 19:43
-
The total cost for the scan was $770, completed in just over 24 hours.
First reported: 28.11.2025 19:431 source, 1 articleShow sources
- Public GitLab repositories exposed more than 17,000 secrets — www.bleepingcomputer.com — 28.11.2025 19:43
-
The largest number of leaked secrets were GCP credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys.
First reported: 28.11.2025 19:431 source, 1 articleShow sources
- Public GitLab repositories exposed more than 17,000 secrets — www.bleepingcomputer.com — 28.11.2025 19:43
-
The researcher used automation to notify affected parties and collected $9,000 in bug bounties.
First reported: 28.11.2025 19:431 source, 1 articleShow sources
- Public GitLab repositories exposed more than 17,000 secrets — www.bleepingcomputer.com — 28.11.2025 19:43