AI‑Service Credential Leaks Surge 81% as 29 Million Secrets Surface on Public GitHub
What Happened — GitGuardian’s monitoring platform recorded an 81 % increase in AI‑service credential leaks over the past quarter, with roughly 29 million secrets (API keys, tokens, and passwords) now visible in public GitHub repositories. The surge spans multiple AI providers, including large‑language‑model APIs and downstream tooling.
Why It Matters for TPRM —
- Exposed AI‑service keys can be abused to consume paid compute, steal proprietary data, or launch further attacks against your supply chain.
- Third‑party AI integrations are increasingly embedded in enterprise workflows; compromised credentials create a hidden attack surface.
- Traditional vendor assessments often overlook code‑base hygiene, making this a blind spot for many organizations.
Who Is Affected — Technology SaaS firms, cloud‑infrastructure providers, AI‑service vendors, and any enterprise that integrates external AI APIs into its products or internal tools.
Recommended Actions —
- Conduct an immediate audit of all public and internal code repositories for AI‑service credentials.
- Enforce secret‑scanning tools (e.g., GitGuardian, TruffleHog) in CI/CD pipelines.
- Rotate any discovered keys and implement short‑lived token policies.
- Update third‑party risk questionnaires to include AI‑service secret management controls.
Technical Notes — The leaks stem from developers inadvertently committing API keys, OAuth tokens, and service‑account credentials to public GitHub repos. No specific CVE is involved; the issue is a widespread misconfiguration and lack of secret‑management hygiene. Affected data includes API keys for OpenAI, Anthropic, Cohere, and other AI platforms, as well as associated billing credentials. Source: HackRead