Security researcher uncovers 17,000 secrets in Public GitLab repositories

News
By published

After scanning the entire public database, he found thousands of secrets

A concept image showing smart industry, data exchange, cloud computing, and the Internet of Things.
(Image credit: Shutterstock)
  • A researcher found 17,000 exposed secrets in GitLab Cloud repositories
  • Leaked credentials risk hijacks, cryptomining, and deeper infrastructure compromise
  • Marshall automated scans, earned $9,000 in bounties; some projects remain exposed

A security researcher found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers are inadvertently putting their own projects at risk of cyberattacks.

GitLab Cloud is the hosted version of GitLab, a platform developers use to store code, track issues, run CI/CD pipelines, and collaborate on software projects.

Recently, security researcher Luke Marshall scanned GitLab Cloud, Bitbucket, and Common Crawl, for things like API keys, passwords, or tokens, and found quite a few. On GitLab Cloud there were 17,000 secrets exposed in public repositories, spread across 2,800 unique domains. On Bitbucket, he found more than 6,200 secrets in 2.6 million repositories, and on Common Crawl - 12,000 valid secrets.

Automating the scan

Hackers who find these credentials can hijack cloud accounts, steal data, deploy cryptominers, impersonate services, or pivot deeper into an organization’s infrastructure. Even a single leaked token can give attackers long-term access to internal systems, letting them modify code, drain resources, or launch further attacks without being detected.

While most of the secrets were relatively new (generated after 2018), there were some decades old and still valid, which almost certainly means they were discovered by malicious actors and used in attacks. Most of the secrets were credentials for Google Cloud Platform (GCP), and MongoDB keys. Other notable mentions include Telegram bot tokens, OpenAI keys, and GitLab keys.

Explaining the process, Marshall said he managed to automate most of it. It took him approximately 24 hours and just under $800 to get it all done. It was worth his while, and his money, though, since he allegedly managed to pick up around $9,000 in bounties for his efforts. He was able to automate the notification process, as well. Many of the notified developers secured their projects, but some remain exposed even now, he said.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.