39 Million Secrets Leaked on GitHub in 2024: Here’s What They’re Doing About It
GitHub quietly dropped a bomb: 39 million secrets were leaked on their platform in 2024 alone. API tokens, credentials, private keys exposed and weaponized in minutes by threat actors.
In 2024, developers accidentally leaked 39 million secrets on GitHub. These weren’t minor oversights. These were real credentials API keys, tokens, passwords exposed in public and private repos, often harvested by threat actors within minutes.
GitHub’s internal systems block secrets every minute using push protection, but clearly, the problem isn’t going away. It’s accelerating. This isn’t just about sloppy devs. It’s about flawed processes, weak default protections, and the absence of enforced tooling across teams of all sizes.
GitHub is finally responding by breaking apart its security tools and making them more accessible. The flagship changes are the unbundling of Secret Protection and Code Security, which were previously gated behind GitHub Enterprise. Now, they’re available as standalone products and can be added to GitHub Team plans. For the first time, smaller teams can get serious security capabilities without upgrading to an enterprise contract.
For public repositories, Secret Protection remains free. That’s unchanged, but it’s now being promoted more actively.
The more important addition is org-wide secret scanning. GitHub has introduced a point-in-time secret risk assessment feature that scans every repo public, private, and internal and generates a report showing where secrets were exposed. The report doesn’t store or transmit the secrets themselves. This feature is currently in public preview, and GitHub is asking organizations to provide feedback to improve it.
Push protection also received upgrades, though the core concept remains the same: blocking known secret patterns at commit time. While this reduces exposure, it only works when developers are using tools that support it, and when secrets match known patterns. As always, there are blind spots.
GitHub is encouraging teams to implement stronger secrets management practices across their pipelines. That means using tools like HashiCorp Vault, AWS Secrets Manager, or Doppler, rotating secrets regularly, and eliminating hardcoded credentials in favor of environment variables or injected secrets.
The central takeaway is simple: GitHub saw 39 million secrets leak in a single year. Their platform is still a prime target for attackers scanning for access keys. These new changes remove some of the cost and access barriers to fixing the problem, but responsibility still falls on teams to adopt real operational discipline.
Trusting GitHub to protect your secrets for you isn’t a strategy, it's retarded.
TL;DR:
- 39M secrets leaked in 2024
- GitHub unbundled Secret Protection and Code Security
- Org-wide scans now possible without Enterprise
- Push protection still active but leaks persist
- Time to rethink your secrets hygiene
