Hardcoded tokens in GitLab: what IAM teams need to know now

TL;DR: Sisense’s 2024 breach reportedly began in a self-managed GitLab repository, where hardcoded tokens enabled AWS access and the theft of sensitive client data from Amazon S3, according to Unosecur. The case shows why secret storage, repository governance, and cloud access monitoring remain core identity controls, not background hygiene.

NHIMG editorial — based on content published by Unosecur covering the Sisense breach: Safeguarding Secrets and Addressing Security Issues in Sisense

Questions worth separating out

Q: What breaks when a hardcoded secret is left in a repository?

A: A hardcoded secret turns source control into an authentication source.

Q: Why do service account tokens create such large breach blast radii?

A: Service account tokens often carry broad, persistent access because they are built for machine-to-machine operation.

Q: How should security teams handle exposed AWS credentials in code repositories?

A: Treat exposed AWS credentials as an active incident, not a hygiene issue.

Practitioner guidance

• Block credentials from entering source control Enforce pre-commit and server-side scanning for API keys, tokens, certificates, and cloud secrets so repositories cannot become long-lived credential stores.
• Shorten the lifetime of every exposed machine credential Create a revocation workflow that invalidates leaked tokens immediately, then rotate dependent keys and certificates before normal incident handling completes.
• Reduce cloud storage blast radius Split S3 permissions so enumeration, read, and export rights are not bundled into one identity, and review any token that can list buckets and download objects.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step walkthrough of how the exposed GitLab token was used to reach AWS services
• The specific CloudTrail and storage activity patterns Unosecur uses to detect exfiltration behaviour
• Practical examples of suspicious S3 actions such as bucket listing and repeated object downloads
• The remediation actions Unosecur recommends for repository cleanup, secret rotation, and incident response

👉 Read Unosecur's analysis of the Sisense breach and hardcoded token exposure →

Hardcoded tokens in GitLab: what IAM teams need to know now?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →