Notifications
Clear all
Topic starter
12/05/2026 6:43 pm
TL;DR: Verizon’s 2025 DBIR says public repositories still expose 441,000 secrets, with JWTs and GitLab tokens dominating the mix and a median 94-day remediation window giving attackers time to exploit them. The case for tighter NHI secret governance is no longer theoretical, because exposure and dwell time now move faster than manual control.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- 94 days was the median time to remediate leaked secrets in public repositories.
- 39% of exposed secrets were web-app infrastructure secrets, and 66% of those were JWTs.
- 32% of exposed secrets were CI/CD and development tokens, with GitLab credentials making up half.
Questions worth separating out
Q: How should security teams handle leaked NHI secrets in public code?
A: They should treat every leaked secret as an active identity incident.
Q: Why do exposed JWTs and API tokens create such high risk?
A: Because they often authenticate directly without user prompts or extra challenge.
Q: What is the difference between secret rotation and secret revocation?
A: Rotation replaces a credential while keeping the service running, which is useful when the secret is still needed.
Practitioner guidance
- Inventory exposed and reusable secrets across code and collaboration tools Scan repositories, tickets, logs, and chat systems for JWTs, CI/CD tokens, and other credentials, then map each one to a human owner and workload dependency.
- Shorten token lifetime and eliminate cross-environment reuse Use separate credentials for each workload, pipeline, and environment so that one leaked token cannot unlock unrelated systems or production access.
- Automate revocation workflows for public secret exposure Trigger immediate rotation or revocation when scanners detect a secret in a public repository, and route exceptions through an approval process with deadlines.
Programmes that still rely on periodic scans without revocation automation will keep finding the same problem after attackers do?
👉 Read Verizon's 2025 DBIR takeaways on secrets exposure and NHI risk →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 6:43 pm
A few things worth adding from our research at NHI Mgmt Group.
Leaked secrets are now a non-human identity governance problem, not a repository hygiene problem. The report’s numbers show that exposed credentials remain one of the most reliable entry points for attackers. That shifts the control conversation from code review alone to identity ownership, lifecycle enforcement, and blast-radius reduction. Practitioners should treat every leaked token as an unmanaged NHI until proven otherwise.
A few things that frame the scale:
- 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
A question worth separating out:
Q: Should organisations prioritise reducing secret reuse over faster scanning?
A: Yes, because faster scanning only shortens detection time, while lower reuse reduces the blast radius of any one leak. If the same token serves multiple systems, exposure in one place can become compromise everywhere. The strongest programmes do both, but reuse reduction delivers the bigger structural gain.
👉 Read our full editorial: Verizon DBIR shows leaked secrets still drive NHI compromise
