The New Landscape of Secret Sprawl
In today’s interconnected digital ecosystem, sensitive data is leaking into unexpected territories, creating a playground for threat actors. What was once primarily confined to code repositories has now spread across diverse platforms, from customer relationship management systems to development tools and AI interfaces. This expansion of what security experts call “secret sprawl” represents one of the most significant emerging threats in cybersecurity.
Table of Contents
When Business Platforms Become Secret Repositories
The recent compromise of Salesforce instances illustrates how business platforms traditionally considered secure are becoming unexpected repositories for sensitive information. Attackers discovered that customer support cases within Salesforce contained credentials, authentication tokens, and API keys that customers had submitted for troubleshooting purposes., according to additional coverage
This represents a fundamental shift in how we think about data protection, as security teams must now monitor platforms far beyond their traditional development environments. As Guillaume Valadon, security researcher at GitGuardian, notes, “They know that secrets are everywhere,” referring to the growing awareness among cybercriminals and nation-state actors that sensitive data now resides across numerous unexpected locations.
The Domino Effect of Compromised Secrets
The attack campaign tracked as UNC6395 demonstrates the cascading impact of exposed secrets. Beginning with a compromised GitHub account that provided access to Salesloft’s private repositories, attackers obtained OAuth tokens that granted them entry into multiple customers’ Salesforce instances. The compromised instances contained not just confidential sales data but additional secrets that could potentially endanger downstream customers.
Cloudflare’s disclosure following the incident highlighted the severity of the problem. The company revealed that its Salesforce instances contained technical support cases where customers had submitted logs, credentials, and over 100 API tokens. Their subsequent warning that “anything shared through this channel should now be considered compromised” underscores the permanent damage that can result from such exposures.
Supply Chain Vulnerabilities Multiply the Threat
The risks extend far beyond individual organizations, creating systemic vulnerabilities throughout the software supply chain. The Red Hat breach earlier this year demonstrated how compromised development resources can impact countless downstream customers. When threat actors accessed thousands of private code repositories in Red Hat’s GitLab instance, they also claimed to have stolen customer engagement reports containing client secrets such as access tokens., as comprehensive coverage
Similarly, research from Wiz discovered that many organizations had exposed secrets in Visual Studio Code marketplaces. The team found more than 550 validated secrets from hundreds of extension publishers, including access tokens that could enable threat actors to tamper with extensions and conduct massive supply chain attacks.
“We’ve seen an increase in exposed secrets this year, though it’s hard to quantify globally,” says Rami McCarthy, principal security researcher at Wiz, highlighting the widespread nature of the problem., according to industry developments
The AI Acceleration Factor
The rapid adoption of AI coding assistants and generative AI platforms has exacerbated the secret sprawl epidemic. These tools often require secrets to connect to other resources, and the code they produce frequently comes from non-professional developers with limited security knowledge.
Carole Winqwist, CMO at GitGuardian, explains the compounding effect: “There is also the problem that more and more code is being produced, and the AI agents are multiplying the volume of secrets that are leveraged by the different systems.” She further notes that the Model Context Protocol layer represents “a nightmare of exposure because people are not configuring them correctly.”
Building Better Defenses in the Age of Secret Sprawl
Security experts emphasize two complementary approaches to addressing the growing threat of secret exposure:
- Enhanced Secret Hygiene: Organizations must implement comprehensive monitoring and scanning for secrets across both internal development environments and external resources. This includes application marketplaces, extension repositories, and business platforms like Salesforce that have traditionally flown under the security radar.
- Reduced Secret Potency: By using short-term credentials and restricting privileges for tokens and API keys, organizations can limit the damage caused when secrets are inevitably exposed. Some forward-thinking companies now use access tokens that are valid only from designated regions or specific IP addresses.
Winqwist highlights a critical cultural problem that must be addressed: “When they give a key to a system or a third-party, companies tend to over-privilege it because it’s easier that way. You don’t have to give it back and it has a long lifespan. The worst is, a lot of organizations use the same key for test environments and production environments. And all of this is malpractice.”
Looking Forward: A New Security Mindset
As Darren Meyer, research advocate at Checkmarx Zero, observes, application security teams can no longer operate on trust alone. “In modern software development workflows, AppSec doesn’t have the luxury of trusting repositories,” he notes, emphasizing the need for proactive defense across all potential secret storage locations.
The expanding frontier of secret exposure demands a fundamental shift in security strategy. Organizations must assume that secrets will eventually be exposed and build their defenses accordingly, focusing both on prevention and damage limitation when prevention inevitably fails.
Related Articles You May Find Interesting
- Reddit Takes Legal Action Against Perplexity AI Over Alleged Data Theft and Copy
- Kandji becomes Iru, unifying identity, security, and management for the AI era –
- Australia’s Rare Earths Lifeline: How a New Alliance Could Reshape Global Tech a
- Beyond Performance: How Intel’s Panther Lake Redefines Wireless Connectivity and
- Unlock Next-Gen Connectivity: TP-Link’s BE9300 Wi-Fi 7 Router Hits Record Low Pr
References & Further Reading
This article draws from multiple authoritative sources. For more information, please consult:
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
