Over 17,000 sensitive secrets leaked from public GitLab repos, exposing major security risks and developer lapses across global projects.

Continue reading
Based on the research by security engineer Luke Marshall, who uncovered over 6,000 live secrets in public Bitbucket repositories, the narrative is clear: established enterprise platforms are an overlooked goldmine for attackers, harboring long-forgotten, highly impactful credentials.
This article reconstructs his investigation to provide a technically detailed account of the findings and their broader implications for cloud security.
While much of the security community's attention has been on platforms like GitHub and GitLab, Bitbucket has been a compelling target for investigation. In operation since 2008 and owned by Atlassian, it hosts code for thousands of enterprises.
Its appeal to security researchers stemmed from two key factors: the inherent nature of Git, which can bury secrets deep within commit history, and the fact that it has not received the same level of scrutiny from security tooling and researchers as its competitors. This combination suggested a potential trove of undiscovered exposed credentials.
To accurately assess the scale of the problem, the goal was to scan every public Bitbucket Cloud repository—a total of 2,636,562 as of the initial research date. Handling this volume required a robust and scalable automation strategy.
The solution was a serverless architecture built on AWS, chosen for its ability to handle the massive workload efficiently. The process involved two core components :
This setup ensured no repository was scanned twice and provided fault tolerance; if any part of the process failed, it could seamlessly resume without losing progress. This architecture enabled the scanning of all 2.6 million repositories over a single weekend .
The scan yielded 6,212 verified live secrets . The analysis of these secrets revealed several alarming trends that challenge conventional security assumptions.
The table below breaks down the leaked credentials by service and file type, showing where and how these exposures occurred :
| Secrets by Cloud Service | Secrets by File Extension |
|---|---|
| • GCP: 977 secrets<br>• AWS IAM: High-impact<br>• SendGrid: High-impact<br>• MongoDB: High-impact<br>• OpenAI: High-impact<br>• Atlassian: 247 secrets<br>• Azure Storage: High-impact<br>• Stripe, Slack, Twilio: High-impact | • JSON: Most common<br>• PHP: 4th most common<br>• Python (.py): Large footprint<br>• JavaScript (.js): Large footprint |
One of the most surprising findings was the age of the live credentials. The research uncovered secrets that had been sitting exposed for years, including a live AWS key committed 12 years ago, in June 2013. The research graph shows a consistent average of 600-700 live secrets exposed each year between 2018 and 2024. This indicates that once a secret is committed, it often remains alive and undiscovered indefinitely.
A particularly ironic finding was the disproportionately high number of exposed credentials for Atlassian's own products, including Jira, Bitbucket, and Opsgenie. In total, 247 valid Atlassian credentials were discovered, a volume much higher than seen in similar scans of other software ecosystems .
The findings underscore a critical need for robust defensive measures. To address these risks, Bitbucket has integrated a native secret scanning feature. This scanner checks new commits for over 800 patterns of known secret types and alerts authors and committers via email when a potential leak is detected. The system is customizable, allowing admins to define their own regular expression (regex) patterns for proprietary secret formats and create allow lists to reduce false positives.
However, technology alone is not enough. The research also triggered a vital security response. Alongside the TruffleHog team, the researcher participated in a responsible disclosure process that led to the revocation of thousands of live secrets. Furthermore, 11 critical P1 vulnerabilities were submitted to bug bounty programs, and over 50 organizations were notified of their exposed secrets.
This investigation offers crucial insights for the security community:

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation