- Pro
- Security
After scanning the entire public database, he found thousands of secrets
Comments (0) ()When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
- A researcher found 17,000 exposed secrets in GitLab Cloud repositories
- Leaked credentials risk hijacks, cryptomining, and deeper infrastructure compromise
- Marshall automated scans, earned $9,000 in bounties; some projects remain exposed
A security researcher found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers are inadvertently putting their own projects at risk of cyberattacks.
GitLab Cloud is the hosted version of GitLab, a platform developers use to store code, track issues, run CI/CD pipelines, and collaborate on software projects.
Recently, security researcher Luke Marshall scanned GitLab Cloud, Bitbucket, and Common Crawl, for things like API keys, passwords, or tokens, and found quite a few. On GitLab Cloud there were 17,000 secrets exposed in public repositories, spread across 2,800 unique domains. On Bitbucket, he found more than 6,200 secrets in 2.6 million repositories, and on Common Crawl - 12,000 valid secrets.
You may like-
GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign
-
Watch out coders - top code formatting sites are apparently exposing huge amounts of user data
-
How DevOps tools are opening the gates for high-profile cyberattacks
Automating the scan
Hackers who find these credentials can hijack cloud accounts, steal data, deploy cryptominers, impersonate services, or pivot deeper into an organization’s infrastructure. Even a single leaked token can give attackers long-term access to internal systems, letting them modify code, drain resources, or launch further attacks without being detected.
While most of the secrets were relatively new (generated after 2018), there were some decades old and still valid, which almost certainly means they were discovered by malicious actors and used in attacks. Most of the secrets were credentials for Google Cloud Platform (GCP), and MongoDB keys. Other notable mentions include Telegram bot tokens, OpenAI keys, and GitLab keys.
Explaining the process, Marshall said he managed to automate most of it. It took him approximately 24 hours and just under $800 to get it all done. It was worth his while, and his money, though, since he allegedly managed to pick up around $9,000 in bounties for his efforts. He was able to automate the notification process, as well. Many of the notified developers secured their projects, but some remain exposed even now, he said.
Via BleepingComputer
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Sead FadilpašićSocial Links NavigationSead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign
Watch out coders - top code formatting sites are apparently exposing huge amounts of user data
How DevOps tools are opening the gates for high-profile cyberattacks
Leading AI companies keep leaking their own information on GitHub
Nearly 180k records exposed in billing platform breach - here’s what we know
Red Hat hackers Crimson Collective are now going after AWS instances
Latest in Security
French Football Federation suffers data breach that compromised Club member's data
Tor adds another layer to the onion with a new relay encryption algorithm - boosting resilience and security across the board
Take extra care shopping for Black Friday deals - experts find thousands of fake websites looking to steal your details
Microsoft Teams guest access could let hackers bypass some critical security protections
Many of us aren't confident we could spot a fake website this Black Friday - so be on your guard
Excited for your Christmas bonus? So are scammers - so make sure you check your emails carefully
Latest in News
Windows 11 File Explorer fudge works, I just wish it was fixed properly
Brace yourself, ChatGPT fans – your conversations could get ads soon
OnePlus 15R confirmed to get Snapdragon 8 Gen 5 chipset, 165Hz display, and more
Some Apple Watch Series 10 users are reportedly getting free replacements
This newly discovered hack may enable Gemini for Home early
The Samsung Galaxy S26 series might come in these six colors – including an iPhone 17 Pro-inspired one
LATEST ARTICLES- 1Security researcher uncovers 17,000 secrets in Public GitLab repositories
- 2OnePlus 15R confirmed to get Snapdragon 8 Gen 5 chipset, 165Hz display, and more
- 3How to get the Paramount+ Cyber Monday deal – save more than half price
- 4Brace yourself, ChatGPT fans – your conversations could get ads soon
- 5Windows 11 File Explorer fudge works, I just wish it was fixed properly
