NHI Threats & Mitigation

Non-Human Identities (NHIs) and secrets are a fundamental part of modern IT environments. Service accounts, API keys, tokens, machine credentials and certificates are critical for cloud operations and software development, yet they introduce significant security risks and outnumber human identities by 92X. Attackers are targeting NHIs and secrets, exploiting weaknesses in how they are created, used, configured and managed.

This new Entro Labs blog series draws on extensive research into the unique attack vectors targeting secrets and the NHIs they produce, as well as in-depth analysis of prominent breaches and systemic vulnerabilities. With insights from industry experts spanning diverse sectors and disciplines we will examine the most pressing security threats related to NHIs in 2025, breaking down how they are exploited and providing security leaders and practitioners alike with practical mitigation strategies.

Each entry of our three-part series will provide:

• Threat Analysis: A detailed breakdown of the causes and impacts of NHI security threats.

• Recommendations: Best practices for reducing risk.

• Solutions: Demonstrations of how Entro’s platform helps mitigate the threats.

The Three Main Vectors of Secrets Exposure

1. Source Code Exposures

Hardcoded secrets are sensitive credentials – such as API keys, tokens, or private keys – embedded directly within source code repositories, configuration files, or scripts. These credentials are often meant to facilitate authentication or encryption but can unintentionally become security liabilities if improperly handled.

Description

Hardcoding secrets is a practice that simplifies development workflows but introduces critical security risks. When secrets are directly embedded into source code, they can inadvertently be exposed in various ways:

• Public Repositories: A developer might unintentionally push code containing secrets to a public Git repo, making it accessible to anyone online.

• Access-Control Issues: Even within private repositories, weak access controls can lead to unauthorized exposure.

• Build Artifacts: Secrets may propagate through automated build pipelines, caches, or logs, further expanding the attack surface.

These exposures provide attackers with direct access to critical systems, bypassing traditional perimeter defenses. As a result, organizations are left vulnerable to malicious activity, including unauthorized data extraction, system disruption, and lateral movement within their environments.

2. Logging and Error Message Exposures

Secrets and NHIs can inadvertently be exposed through application logs or error messages. This can happen when errors, stack traces, or debug information containing these secrets are logged for troubleshooting or operational purposes.

Description

Applications generate logs to track system behavior, errors, and performance, but these logs can unintentionally capture sensitive data, which puts the organization at risk.

Examples include:

• Error Logging: When an application encounters an issue, it might log detailed error messages, including technical information such as stack traces, database queries, or API calls. If these logs contain sensitive data like session tokens, API keys, or user credentials, they can be exploited by attackers.

• Stack Traces and Debug Information: During debugging, developers may include detailed information about the application’s internal state, including sensitive data, to identify the root cause of errors. Without proper safeguards, this information could end up in production logs.

• Improper Log Storage: Even if sensitive data is logged unintentionally, improper storage practices—such as leaving logs unsecured or accessible to unauthorized individuals—can increase the likelihood of an attacker gaining access to this sensitive information.

In scenarios where error messages or logs are not sanitized, the consequences of exposure can be severe. Attackers who gain access to these logs can use the exposed secrets to gain unauthorized access to critical systems, impersonate users, or escalate their privileges.

3. Exposures in Collaboration Tools

Secrets get exposed through collaboration apps like Jira, Slack, Confluence, Microsoft Teams, or Office 365. These platforms are used widely for communication, project management, and document sharing but can unintentionally become vectors for exposing sensitive data when secrets are shared in messages, files, or project documentation.

Description

Collaboration and communication tools are essential for modern work environments, enabling teams to collaborate, track projects, and communicate efficiently. However, their widespread use creates opportunities for accidental (or deliberate) exposure of secrets. Developers, system admins, and team members may unknowingly share sensitive information through chat messages, tickets, or documentation on these platforms.

Common ways secrets are exposed in collaboration tools include:

• Chat Messages: During troubleshooting or discussions, team members may share credentials or API keys within chat messages on platforms like Slack or Microsoft Teams.

• Project Tickets: Tools like Jira or Confluence are used to track bugs, features, or support tickets. Sensitive information may be added to tickets or project documentation, including API keys or system credentials for troubleshooting.

• File Sharing: Files exchanged through collaboration tools may contain embedded secrets or configuration files that include sensitive data.

• Shared Documentation: Wiki documentation or spreadsheets shared in platforms like Confluence or Office 365 might include hardcoded credentials or other secrets that should be stored securely elsewhere.

Since these platforms are often integrated with various services and tools, they may inadvertently provide attackers with the means to access critical systems or exploit vulnerabilities when secrets are shared without proper safeguards.

Each of these attack vectors introduces unique risks that organizations must address. Below, we explore how these exposures translate into real-world security breaches and their broader impact.

The Hidden Dangers of Secrets Exposure

While all three vectors of secret exposure can lead to unauthorized access, data breaches, and operational risks, each vector presents unique challenges and attack paths that organizations must address.

Source Code: Direct System Compromise

Hardcoded secrets in source code provide a direct attack vector for threat actors, as they often contain credentials to critical infrastructure.

• Unauthorized Access: Exposed API keys or tokens allow attackers to authenticate as trusted users or apps, accessing cloud environments, databases, or internal APIs.

• Data Breaches: Stolen database credentials or cloud access keys can lead to data exfiltration, violating compliance requirements.

• System Disruption and Abuse: Attackers can manipulate exposed secrets to inject malicious data, hijack cloud resources, or launch denial-of-service attacks.

• Lateral Movement: Once an attacker gains access via hardcoded secrets, they can pivot across interconnected systems, escalating privileges and expanding their foothold.

Notable Example: The SolarWinds supply chain attack involved attackers gaining access via GitHub-stored secrets.

Logging and Error Message Exposures: Inadvertent Credential Leaks

Exposing secrets through logs or error messages is especially dangerous because logs are rarely monitored for credential leaks, making it an attractive target for attackers.

• Unauthorized Access: Logged secrets such as API keys or session tokens can be harvested and reused by attackers to impersonate legitimate users or services.

• Privilege Escalation: If privileged credentials (e.g., admin tokens) are captured in logs, attackers can elevate access and take control of critical systems.

• Compliance Violations: Regulatory frameworks such as GDPR, HIPAA, and PCI-DSS require secure data handling. Exposed secrets in logs can lead to fines, legal consequences, and loss of customer trust.

• Operational Risks: Compromised logs can result in service downtime, unauthorized system modifications, or disruptions to business operations.

Notable Example: Uber’s 2022 breach involved attackers finding hardcoded secrets in logs, enabling them to escalate access across multiple internal systems.

Exposures in Collaboration Tools: Internal Communication Breaches

Unlike the other two vectors, exposure in collaboration tools often occurs due to accidental or mal-intent sharing by employees rather than direct misconfigurations in code or logs. However, this can rapidly expand an attacker’s reach inside an organization.

• Credential Harvesting: Attackers who gain access to Slack, Jira, or Confluence can search for API keys, login credentials, or SSH keys stored in chat logs, tickets, and documentation.

• Escalation of Privileges: Leaked secrets especially admin credentials allow attackers to move laterally within the organization, elevating their privileges.

• Data Breaches and System Compromise: If credentials stored in collaboration tools are compromised, attackers can exfiltrate sensitive data, deploy malware, or manipulate production systems.

• Compliance Violations: Since collaboration tools aren’t designed for secure credential storage, secrets leaked in these platforms create compliance risks similar to those in log exposures.

Notable Example: The Globant breach saw attackers scanning internal documentation and repositories for leaked credentials, leading to a widespread compromise.

Understanding these threats is only half the battle – let’s now explore how organizations can proactively prevent and mitigate secret exposure.

Mitigation Strategies: Preventing Secrets Exposure

Addressing secrets exposure requires a multi-layered approach that combines automated detection, secure storage, access control, monitoring, and user education. Below, we outline the key mitigation strategies along with how the Entro Non-Human Identity & Secrets Security platform helps implement these best practices.

Proactive Secrets Detection – Seeing the Attack Surface

Automated Secret Scanning in the SDLC

• Integrate secret scanning into the software development lifecycle (SDLC) to prevent credentials from being committed to source code repositories.

• Use pre-commit hooks and CI/CD pipeline scanning to identify secrets before they reach production.

Entro platform detects the exposure of AWS full credentials within GitHub workflow logs, highlighting critical risks where secrets are unintentionally logged and potentially shared across teams or even publicly.

Real-Time Detection and Response or NHIDR

• Continuously scan logs, collaboration tools, and repositories for newly exposed secrets.

• Detect anomalies in NHI behavior by identifying unexpected access patterns, unusual privilege escalations, or abnormal secret usage across systems.

• Implement automated alerts when a secret is detected, ensuring immediate remediation.

Entro’s NHIDR detects and helps mitigate NHI behavioral anomalies in real-time by identifying unusual access patterns, privilege escalation attempts, and abnormal secret usage. In this example, a GCP token was used by multiple devices across three different countries – triggering a high-severity alert for potential credential sharing, misuse, or compromise.

Secure Secrets Management & Storage

Use Secret Management & Vaulting Solutions

• Store credentials in dedicated vaulting solutions rather than hardcoding them in applications or sharing them in Slack/Jira.

• Use environment variables or secure APIs for dynamically retrieving secrets when needed.

Rotate & Expire Secrets Automatically

• Adopt strict rotation policies to minimize the lifespan of secrets.

• Automate secret expiration and revocation when a secret is compromised or exposed

The platform detects and flags idle NHI and secrets that have not been rotated for extended periods – in this case, a GitHub Private Access Token hasn’t been rotated for over four months. While these risks are typically lower in severity, they still pose a potential security threat and require attention to prevent unauthorized access or credential misuse.

Access Controls & Policy Enforcement

Enforce Least Privilege & Access Controls

• Restrict access to source code repositories, logs, and collaboration platforms based on the principle of least privilege.

• Implement role-based access control (RBAC) to ensure only authorized personnel can access sensitive systems.

Audit & Review Permissions Regularly

• Conduct periodic reviews of repository and log access to prevent privilege creep.

• Implement continuous access monitoring to detect unauthorized activity.

Entro’s platform audits and tracks access to vaulted secrets, identifying cases where an excessive number of non-admin identities have access. In this example, an Akeyless access key (stored in AWS Secrets Manager) is readable by seven non-admin identities – introducing unnecessary risk. By continuously monitoring permissions, Entro helps security teams enforce least privilege access and detect misconfigurations before they lead to exposure.

Logging & Error Handling Best Practices

Use Redaction & Masking in Logs 

• Configure logging frameworks to automatically redact API keys, tokens, and passwords.

• Replace sensitive values with placeholders or encrypt them before storing logs.

Implement Robust Error Handling

• Prevent stack traces or debug information from exposing credentials in production environments.

• Ensure error messages do not contain database credentials or API keys.

Secure Collaboration Practices

Scan & Monitor Collaboration Tools

• Regularly scan Slack, Jira, Confluence, and Teams for accidentally shared credentials.

• Implement DLP (Data Loss Prevention) policies to block the sharing of secrets.

Entro continuously scans collaboration tools within the organization to detect exposed secrets in real time. In this example, AWS full credentials were shared within a Jira ticket, increasing the risk of unauthorized access. By identifying and alerting security teams about these exposures, Entro enables rapid remediation.

Educate Software Engineer & DevOps Teams

• Train employees on why secrets should never be shared in chat platforms.

• Provide clear policies and guidelines on how to securely store and share credentials.

Entro empowers security teams to educate and assist NHI owners by providing automated playbooks, webhooks, and integrations with SOC automation platforms. With Entro’s automated remediation workflows, security teams can quickly alert the human owners of exposed secrets and NHIs at risk, ensuring rapid response and reinforcing secure secret management practices.

Stay Ahead of Non-Human Identities Threats

Secrets exposure is just one of the many risks Non-Human Identities introduce to modern businesses. In our next installment, we’ll dive into NHI hygiene, exploring how attackers exploit bad practices and how security teams can mitigate these risks. Stay tuned.

If you want to learn more about how Entro helps dozens of CISOs and security teams mitigate NHI threats, detect leaked secrets in real time, and secure the machine identity attack surface, reach out to us for a demo.