NewForTech

Home » Latest » Security » Security researchers discover 17,000 secrets in public GitLab repositories

Security researchers discover 17,000 secrets in public GitLab repositories

0 hits

Security researchers discover 17,000 secrets in public GitLab repositories
2 minutes

Written by

Tech Insider (NewForTech Editorial Team)

in

  • Researcher Luke Marshall discovered 17,000 secrets exposed in GitLab’s cloud storage
  • Credential leakage poses the risk of hijacking, cryptocurrency mining, and serious infrastructure breaches.
  • Marshall automated the scans and won $9,000 in prizes; Some projects are still open

A security researcher has discovered thousands of secrets in GitLab’s public cloud repository, revealing how software developers are inadvertently exposing their projects to cyberattacks.

GitLab Cloud is the hosted version of GitLab, a platform used by developers to store code, track issues, run CI/CD pipelines, and collaborate on software projects.

Luke Marshall revealed how he searched GitLab Cloud, Bitbucket and Common Crawl for things like API keys, passwords or tokens, and unfortunately found a lot of stuff.

Automate analytics

In the GitLab cloud, 17,000 secrets were exposed in public repositories, spanning 2,800 unique domains. It found more than 6,200 secrets in 2.6 million repositories on Bitbucket and 12,000 valid secrets on Common Crawl.

Hackers who find these credentials can take control of cloud storage accounts, steal data, use crypto miners, spoof services, or penetrate deeper into an organization’s infrastructure. Even a single token leak can give attackers long-term access to internal systems, allowing them to modify code, consume resources, or launch other attacks without being noticed.

While most of the secrets were relatively new (generated after 2018), some were decades old and still valid, which almost certainly means they were discovered and used in attacks by malicious actors. Most of the secrets were Google Cloud Platform (GCP) credentials and MongoDB keys. Other notable mentions include Telegram Bot tokens, OpenAI keys, and GitLab keys.

Marshall explained the process and said he could automate most of it. It took him about 24 hours and just under $800 to do it all. It was worth it though as he reportedly managed to earn around $9,000 in bonuses for his efforts. You can also automate the reporting process. Many registered developers have secured their projects, but some are now open, he said.

IN BeepTeam