52 Non-Human Identity Breaches
A Year of Research, A Wake-Up Call for the Industry
As we celebrate 52 weeks since the formation of the Non-Human Identity Management Group, we’re marking this milestone by publishing the most comprehensive and independent analysis of Non-Human Identity (NHI) breaches ever released. This updated report now includes 52 real-world breaches, up from 40 breaches just a few months ago, demonstrating the rapidly growing threat landscape surrounding NHIs.
This post is not just a retrospective, It’s a wake-up call to every organization.
You are likely sitting on a massive, unmanaged exposure stemming from Non-Human Identities such as Service Accounts, Machine Identities, API Keys, OAuth Tokens, Certificates, and Secrets.
NHIs are now the #1 attack vector leveraged by both external and internal threat actors to infiltrate systems, move laterally, and steal sensitive data. With the accelerated adoption of Cloud and SaaS platforms, organizations are facing an uncontrollable Secrets Sprawl problem, further compounded by 3rd-party and software supply chain risks, as reflected in many of the breaches outlined below.
Whether you’re a CISO, engineer, architect, or developer, this growing NHI breach dataset is a critical resource for understanding:
- How NHIs are being exploited in real-world attacks
- Why traditional IAM and secrets management are falling short
- What practical steps you can take to reduce exposure
Explore all 52 breaches, learn from real-world incidents, and benchmark your own risk posture:
How reviewdog action Exposed Thousands of Secrets?
On March 11, 2025, the reviewdog/action-setup GitHub Action became the focus of a significant supply chain attack. Malicious activity was first detected when researchers observed that the v1 tag of reviewdog/action-setup had been altered between 18:42 and 20:31 UTC, allowing attackers to inject malicious code into the tool. This modification went unnoticed for a short period, but the consequences were immediate and widespread.
How iOS Apps Are Leaking Secrets and Endangering User Privacy
In March 2025, the mobile world is buzzing after recent research uncovered a shocking truth about iOS apps: many are riddled with secret leaks, and the coding practices behind them are far from secure. With over a billion iPhones in use worldwide, these revelations raise serious concerns about the safety of personal data and the standards upheld by developers.
Cisco Data Breach – Leaks Active Directory Credentials
On 10th February 2025, the Kraken ransomware group claimed responsibility for a data breach involving Cisco Systems. They alleged that they had infiltrated Cisco’s internal network and exfiltrated sensitive credentials from the company’s Windows Active Directory (AD) environment. The leaked data included usernames, security identifiers (SIDs), and NTLM password hashes. Cisco has refuted these claims, asserting that the data in question originates from a previously addressed incident in May 2022.
Salt Typhoon Used Cisco Flaw & Stolen Credentials to Hack U.S. Telecoms
In February 2025, Cisco Talos reported that the advanced persistent threat (APT) group known as Salt Typhoon, believed to be linked to China’s Ministry of State Security (MSS) or Guoanbu, managed to infiltrate several U.S. telecommunications networks. Shockingly, some of these intrusions went unnoticed for more than three years. The attackers took advantage of an old but still unpatched vulnerability in Cisco’s Smart Install feature, known as CVE-2018-0171, while also leveraging stolen credentials to deepen their access. Their approach combined stealth and persistence, making detection incredibly difficult until significant damage had already been done.
In February 2025, a significant data breach involving OmniGPT, a widely-used AI-powered chatbot platform, was reported. A threat actor known as “Gloomer” claimed responsibility for the breach, alleging the exposure of sensitive user information, including email addresses, phone numbers, API keys, and extensive chat logs. This report delves into the specifics of the breach, examines the potential vulnerabilities exploited, assesses the impact, and offers recommendations to prevent similar incidents in the future.
How ASP.NET Machine Keys Triggered Remote Code Execution Attacks
On February 6, 2025, Microsoft revealed a major security issue involving over 3,000 publicly exposed ASP.NET machine keys. These keys, meant to protect web applications, had been inadvertently shared in public repositories, creating a significant risk of remote code execution (RCE) attacks. Exploiting these exposed machine keys, attackers took advantage of the ASP.NET ViewState mechanism to inject and execute arbitrary code on
vulnerable servers.
In February 2025, the cybersecurity world faced yet another wake-up call, this time, the target was Zacks Investment Research, a well-known investment analysis firm. A hacker, going by the alias “Jurak,” claimed responsibility for leaking sensitive data belonging to 12 million Zacks customers. This breach has left millions exposed to serious risks like identity theft, credential stuffing, and financial fraud. But what’s even more alarming is that this isn’t the first time Zacks has fumbled the ball when it comes to data security.
In January 2025, the ransomware group “Codefinger” has exploited Amazon Web Services (AWS) to launch a sophisticated campaign targeting Simple Storage Service (S3) buckets. Using compromised AWS credentials, the attackers leveraged AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt stored data. This innovative use of legitimate AWS features complicates detection and remediation, underscoring the importance of robust cloud security practices.
On January 29, 2025, a major security breach involving DeepSeek, a prominent Chinese artificial intelligence (AI) startup, was reported. The breach resulted in the exposure of over one million log lines and highly sensitive secret keys. This exposure has triggered serious concerns about the security of AI systems, the integrity of the data involved, and the broader implications for both organizations and industries relying on AI.
Secrets Exposure Via Azure Key Vault Role
In December 2024, Researchers identified a potential privilege escalation vector in Azure Key Vault. The issue arises from the misconfiguration of the permissions associated with the “Key Vault Contributor” role. While this role is documented to allow management of key vaults without granting data access, it includes the Microsoft.KeyVault/vaults/write permission. This permission enables users to modify access policies, effectively allowing them to grant themselves or others full access to the key vault’s data.
Microsoft Azure OpenAI Service Breach
In December 2024, Microsoft took decisive legal action against a Hacking-as-a-Service (HaaS) platform that exploited vulnerabilities in its Azure OpenAI services. The cybercriminals behind this scheme were using stolen Azure API Keys and custom-developed software to bypass AI safety measures, enabling them to generate harmful content, including illegal materials, at scale. This breach highlights the growing sophistication of cybercriminal activities leveraging AI, as well as the critical need for stronger safeguards in the rapidly evolving landscape of generative AI services.
BeyondTrust Breach
On December 2, 2024, BeyondTrust, a leading cybersecurity solutions provider specializing in Privileged Access Management (PAM) and Secure Remote Access, identified anomalous activities affecting certain customer instances of its Remote Support Software-as-a-Service (SaaS) platform. Following an in-depth investigation, it was revealed that a compromised API key had been exploited, leading to unauthorized access and the potential for escalated attacks on affected customer environments.
In November 2024, Schneider Electric, confirmed a significant cybersecurity incident including unauthorized access to its internal project management system. The attacker exploited exposed credentials to gain access to Schneider Electric’s Jira server to extract a 40GB of sensitive data.
In October 2024, Permiso Security reported attackers were hijacking LLM models on cloud infrastructure to run rogue chatbot services. Threat actors leveraged AWS access keys to hijack Anthropic models provided by AWS Bedrock, for Dark Roleplaying.
In October 2024, a significant cybersecurity incident known as Emerald Whale shocked the DevOps community. This incident revolved around exposed Git configuration files, an apparently simple misconfiguration that resulted in the theft of over 15,000 sensitive data and unauthorized access to over 10,000 private repositories.
In October 2024, the Internet Archive fell victim to a major data breach affecting 31 million user accounts. Unsecured authentication tokens in their GitLab repository, which were left accessible for almost two years, were the cause of this incident. Threat actors exploited these tokens to gain access to critical systems, databases, and user data.
In October 2024, Cisco experienced a significant cybersecurity breach related to Non-Human Identities (NHIs). The threat actor ‘IntelBroker’ exploited exposed credentials, API tokens, and keys located in DevHub, Cisco’s public development environment.
In September 2024, a security researcher recently demonstrated how a series of flaws in a CI/CD environment resulted in a full server takeover. The attack started with an exposed .git directory, progressed through mismanaged CI/CD pipeline configurations and ended up with unauthorized server access.
230 Million AWS Cloud Environments Compromised
In August 2024, many organizations fell victim to a recent large scale extortion campaign targeted improperly configured cloud environments. Attackers exploited unsecure environment variable files (.env) in these environments.
In June 2024, Hugging Face, which is considered as a leading company and AI platform, announced a security breach targeting its Spaces Platform. The incident included unauthorized access to authentication secrets (API keys and tokens), which could lead to the compromise of sensitive data and disrupt workflows.
In June 2024, the New York Times (NYT), a media powerhouse known for its reporting excellence, became the subject of headlines for an entirely different reason: a significant cybersecurity breach.
In June 2024, GitHub users fell victim to an extortion campaign targeting their repositories. The threat actor gained unauthorized access to GitHub accounts using stolen credentials that seemed to be acquired from previous breaches.
In May 2024, Snowflake fell victim to a major cybersecurity breach in May 2024. The breach compromised data from major organizations, including Ticketmaster and Santander Bank, highlighting the weaknesses in cloud environments when it lacks efficient security measures.
In May 2024, Dropbox Sign experienced a significant security breach. Attackers exploited compromised backend service account which granted them the ability to access the customers database which led to the exposure of sensitive user data, including email addresses, usernames, hashed passwords, and account authentication details like API keys and OAuth tokens.
In May 2024, a critical vulnerability (CVE-2024-37051) with a CVSS score of 9.3, was reported in JetBrains’ GitHub plugin for IntelliJ-based IDEs. This vulnerability exposed GitHub access tokens to malicious third parties.
In April 2024, Sisense reported a security breach from unauthorized access to Sisense’s self-managed GitLab Instance, which led to the exfiltration of huge amounts of data, including access tokens, API keys, passwords, and certificates.
In March 2024, security researchers discovered that misconfigurations in Google Firebase instances had exposed over 19.8 million secrets. Google Firebase is a popular Backend-as-a-Service (BaaS) platform used by developers to manage databases, storage, and authentication for their applications.
Microsoft Midnight Blizzard Breach
In January 2024, Microsoft detected a cyberattack planned by the Russian state-sponsored group Midnight Blizzard (also known as Nobelium or APT29). The attacker exploited a legacy, non-production test tenant account without multi-factor authentication (MFA).
In November 2023, SAP, a global software giant, made headlines after researchers discovered that over 95 million artefacts including sensitive Kubernetes secrets were exposed through public GitHub repositories and misconfigured systems.
In November 2023, a significant security incident was uncovered involving the exposure of thousands of hardcoded secrets in packages hosted on the Python Package Index (PyPI). This incident revealed that thousands of PyPI packages contained hardcoded secrets, such as API keys, database credentials, and authentication tokens.
In November 2023, Sumo Logic detected unauthorized access to one of its AWS accounts. Investigations revealed that the attackers used compromised credentials to gain access to the AWS account.
In November 2023, Cloudflare disclosed a significant breach involving their internal Atlassian systems. The intrusion occurred after attackers used credentials stolen during the October 2023 Okta breach.
In October 2023, Okta, a leader in identity and access management (IAM), suffered a supply chain breach that exploited a compromised service account.
In July 2023, JumpCloud, a well-known directory-as-a-service provider, made headlines by invalidating all administrator API keys in response to a suspected security breach. This move impacted thousands of organizations globally.
In July 2023, a sophisticated cyberattack shook the developer community, targeting GitHub repositories at an unprecedented scale. Threat actors exploited stolen GitHub personal access tokens to inject malicious code into hundreds of repositories, masquerading the commits as legitimate contributions by Dependabot, a widely used automated dependency management tool.
In June 2023, Microsoft experienced a major security breach that left many businesses and government agencies vulnerable. The breach, dubbed the Azure Key Breach, exposed a key security flaw in how Microsoft managed cryptographic keys used to validate access to its services, including Azure Active Directory (AAD) and Exchange Online.
In June 2023, Microsoft AI researchers inadvertently exposed 38TB of sensitive internal data while publishing open-source training materials on GitHub. The data included private keys, passwords, internal Teams messages, and backups of two employee workstations. The breach resulted from a misconfigured Azure Shared Access Signature (SAS) token used to share files.
In May 2023, a significant cybersecurity incident exposed sensitive Polish military data through a forgotten, outdated password. The issue began when login credentials to a mapping database (ArcGIS) were shared in a 2020 email.
In March 2023, Twitter faced a significant cybersecurity breach when its source code was leaked on GitHub by an unknown user, identified as “FreeSpeechEnthusiast”.
In January 2023, TT-Mobile reported a data breach affecting 37 million accounts. The breach, caused by a vulnerable Application Programming Interface (API), exposed customer data over nearly six weeks.
In January 2023, CircleCI (CI/CD) platform fell victim to a major security breach. The breach was detected when CircleCI was alerted to suspicious GitHub OAuth activity by one of their customers.
In January 2023, Slack a leading collaboration platform, experienced a security breach involving the unauthorized access of private code repositories hosted on GitHub.
GitHub Personal Account Breach
On December 6, 2022, GitHub identified a security breach where an unauthorized actor accessed repositories from GitHub Desktop, Atom, and other deprecated GitHub-owned organizations. The breach occurred due to the compromise of a Personal Access Token (PAT) associated with a machine account.
In October 2022, Toyota disclosed a data breach resulting from a misconfigured public GitHub repository that had unknowingly exposed a hardcoded access key for five years.
In September 2022, Microsoft disabled compromised verified partner accounts exploited by attackers to conduct OAuth phishing campaigns.
On September 15, 2022, Uber Technologies Inc. faced a significant cybersecurity breach that exposed vulnerabilities within its internal systems, involving lateral movement across multiple systems.
In April 2022, Mailchimp confirmed that attackers gained unauthorized access to an internal customer support and account administration tool. This breach affected approximately 133 customers.
In April 2022, attackers exploited stolen OAuth tokens issued by third-party integrators Heroku and Travis CI to gain unauthorized access to GitHub repositories.
In October 2021, Twitch, the popular live streaming platform, suffered a significant data breach, that exposed a significant portion of its internal source code. The leak included 200GB of data, which attackers made public, including credentials, secrets, API keys, and even configuration files.
In April 2021, a supply chain attack targeted Codecov, a popular tool for measuring code coverage in software projects. The breach exploited a vulnerability in Codecov’s infrastructure, leading to the compromise of its Bash Uploader script.
In March 2021, the Sakura Samurai, an ethical hacking group, conducted a responsible vulnerability disclosure campaign. They used various reconnaissance and exploitation techniques to expose significant flaws in the cybersecurity defences of several Indian government organizations.
In January 2021, The United Nations data breach exposed the shocking reality that even the most high-profile organizations of the world may be blind to some pretty simple but catastrophic cybersecurity oversights.
Are you concerned about NHI Risks within your organisation ?
Our NHI Mgmt Group is the market leading research and advisory firm in the Non-Human Identity space. We provide independent guidance and advice for clients looking to manage the risks around Non-Human Identities
- Our team has been advising, establishing and managing global regulatory IAM / NHI programs for over 25 years at major financial institutions.
- We have the most comprehensive Knowledge Centre on NHIs including foundational Articles on NHIs, Industry White-Papers, Major Breaches, Research Reports, Blogs, Educational Videos, Industry Surveys, Newsletters as well as details of Products that support the risk management of NHIs.
- Our NHI Mgmt Group was founded by an IAM Industry Veteran, who has managed global regulatory NHI programs, author of major White-Papers and Research articles on NHIs, established the thriving NHI LinkedIn Community Group and recognised as the #1 NHI Evangelist / Voice in the industry.
Contact us if you would like to get some independent guidance and advice on how to start tackling Non-Human Identity Risks.
Note – we sourced the initial reporting of these breaches from a number of places including Bleeping Computer, Security Week, Astrix Security, GitGuardian, Oasis Security, Entro Security, Permiso Security, Aembit.
