GitLab’s Secret Scandal: 17,000 Exposed Credentials Unveiled in Massive Repository Sweep!

Security engineer Luke Marshall discovered over 17,000 exposed secrets on GitLab using TruffleHog. The scan, costing $770, found Google Cloud credentials, MongoDB keys, and more. Despite notifying affected parties and earning $9,000 in bug bounties, some secrets remain exposed. GitLab’s secret density was 35% higher than Bitbucket’s.

3P
Published: November 28, 2025 5:49 pmAdded: November 28, 2025 at 10:11 amAssembled by: The Editor
Pro Dashboard

Hot Take:

***In a plot twist worthy of a cybersecurity soap opera, GitLab’s public repositories were found to be spilling secrets like a faulty faucet. With more leaks than a sieve, Luke Marshall’s digital mop-up operation uncovered a treasure trove of exposed credentials. Maybe it’s time for developers to enroll in a “Secrets Management 101” class and stop treating public repositories like a diary under the bed.***

Key Points:

  • Marshall scanned 5.6 million public GitLab repositories using TruffleHog and found over 17,000 exposed secrets.
  • The method employed cost $770 and completed the scan in just over 24 hours.
  • The scan revealed the highest number of leaked Google Cloud Platform credentials, followed by MongoDB and Telegram bot tokens.
  • Marshall used automation to notify affected parties, earning $9,000 in bug bounties.
  • Despite efforts, not all exposed secrets have been revoked or secured by their owners.

Secrecy? More Like Secret-See!

In the world of cybersecurity, the old adage “secrets, secrets are no fun unless you share with everyone” has never been less true. Luke Marshall, our intrepid digital detective, decided to play the role of a digital whistleblower. Armed with his trusty TruffleHog, he delved into the GitLab Cloud, a realm rife with public repositories, and emerged with a hoard of 17,430 secrets. That’s enough secrets to fill a reality TV show! The scan spanned 5.6 million repositories, revealing that developers often treat sensitive credentials like those pesky “keep off the grass” signs—more of a suggestion than a rule.

Snooze and You Lose (Your API Key)

Marshall’s epic trek through GitLab was not one of aimless wandering. Using GitLab’s public API endpoint, he crafted a digital map with a custom Python script, traversing the repository wilderness. His method, akin to a high-tech scavenger hunt, involved sending repository names to an AWS Simple Queue Service, followed by a swift AWS Lambda function to execute TruffleHog with the concurrency of a caffeinated squirrel. The result? A complete scan in just over 24 hours, costing a mere $770—a small price to pay for uncovering the skeletons in GitLab’s closet.

Cloudy with a Chance of Secrets

The findings were as shocking as finding a polar bear in the Sahara. Google Cloud Platform credentials topped the list of leaked secrets, with over 5,200 exposed, turning GCP into a veritable open house. Not far behind were MongoDB keys, Telegram bot tokens, and OpenAI keys. It seems that when it comes to keeping secrets, developers might need to brush up on their lock-and-key skills. In a world where secrets are as secure as a screen door on a submarine, it’s no wonder the researcher’s notifications prompted a flurry of revocations.

Marshall to the Rescue

With 2,804 unique domains implicated in this digital drama, Marshall took on the role of a cybersecurity superhero. Employing automation to notify affected parties, he wielded Claude Sonnet 3.7 with web search capabilities and a Python script to generate emails faster than you can say “data breach.” His efforts were rewarded with bug bounties totaling $9,000—a small fortune for a day’s (or 24 hours’) work. Yet, despite his gallant crusade, some secrets remain exposed, echoing the age-old dilemma: you can lead a developer to security, but you can’t make them think.

Secrets in the Wild West of GitLab

While historical data indicates most leaked secrets date from post-2018, Marshall’s journey unearthed some relics from 2009, still valid and functioning like a vintage car at a classic car show. It serves as a stark reminder of the digital age’s perilous side, where even the oldest secrets can resurface to haunt their creators. As organizations scramble to revoke their leaked credentials, one thing is clear: in the wild, wild west of GitLab, secrets are the currency, and vigilance is the sheriff. For now, Marshall’s work stands as a testament to the importance of cybersecurity hygiene and the ever-urgent need to keep our digital skeletons safely locked away.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?