In a sweeping evaluation carried out in late 2025, Flare researchers uncovered greater than 10,000 Docker Hub container photographs leaking secrets and techniques (together with manufacturing API keys, cloud tokens, CI/CD credentials, and even AI mannequin entry tokens) all pushed into public repositories, usually unintentionally by builders.
Non-human identities (NHIs): tokens, API keys, service accounts, and workload identities, are the machine-to-machine credentials that energy trendy software program growth and cloud infrastructure.
Not like human customers who authenticate with passwords and MFA, these identities authenticate functions, construct pipelines, and automatic providers repeatedly, usually with broad privileges and indefinite lifespans.
When individuals examine findings like this, the instinctive response is usually, “They’ll be taught the onerous means,” or “These have to be small corporations or inexperienced builders — not critical enterprises or Fortune 500 corporations.”
However the actuality is much extra advanced and much more troubling than a shallow headline suggests. These exposures will not be edge circumstances, however are structural failures of how trendy software program is constructed and operated.
To know why, check out these real-world nightmares from latest years involving the publicity of non-human identities.
The Snowflake Breach: 165 Organizations Compromised By Leaked Credentials
One of the distinguished circumstances that drew widespread media consideration was the 2024 Snowflake incident. It was not pushed by a software program exploit, however by the silent abuse of long-lived credentials that had been leaking into the felony ecosystem for years.
The risk actor cluster UNC5537 authenticated into roughly 165 Snowflake buyer environments utilizing uncovered credentials harvested from historic infostealer malware dumps and cybercrime marketplaces.
These credentials (API-like accounts, automation customers, and data-access identities) usually lacked multi-factor authentication and had been designed to persist indefinitely. The information accessed included extremely delicate company and buyer info belonging to organizations similar to AT&T, Ticketmaster, Santander, and others, which was later marketed on the market or utilized in extortion campaigns.
One leaked token can expose your complete infrastructure for years.
Flare scans public code repositories for uncovered non-human identities—API keys, cloud credentials, service accounts—and alerts you earlier than attackers discover and exploit them.
Scan For Leaked Secrets and techniques
Dwelling Depot’s Yr-Lengthy Publicity: When a Single GitHub Token Outlasts Its Creator
In late 2025, it was noticed that Dwelling Depot’s inner programs remained accessible for over a yr because of a single leaked GitHub entry token belonging to an worker, which had been inadvertently printed in early 2024 and uncovered on a public platform.
Automated scanning telemetry confirmed that this token granted broad rights, together with learn and write entry to a whole bunch of personal supply code repositories, in addition to entry into related cloud infrastructure, order-fulfillment programs, stock administration platforms, and developer pipelines.
Successfully treating the token as a legitimate non-human identification able to authenticating with out problem. Regardless of a number of makes an attempt by an exterior safety researcher to alert Dwelling Depot’s safety staff, the token remained lively and publicly accessible for months, solely being revoked after third-party media engagement pressured motion.
The extended publicity underscores a systemic hole in credential governance and automatic secret detection: long-lived machine identities with out rotation, expiration, or proactive monitoring allowed a static entry token to operate as a persistent authentication vector throughout crucial inner programs.
This incident didn’t contain a software program vulnerability within the platform itself, however quite the continued validity of a leaked identification token, illustrating how unmanaged non-human credentials can inadvertently open important assault surfaces in mature enterprise environments.
Crimson Hat GitLab Breach: Consulting Repositories Turn into Unintentional Credential Shops
In October 2025, a Crimson Hat GitLab occasion utilized by its consulting group was compromised by the group calling itself “Crimson Collective,” ensuing within the exfiltration of tens of hundreds of personal repositories and a whole bunch of Buyer Engagement Reviews (CERs).
These artifacts contained architectural diagrams, deployment configurations, and crucially embedded credentials similar to tokens, database URIs, and repair keys that had flowed into the repository over time as a part of consulting engagements.
By mixing contextual knowledge with static secrets and techniques inside GitLab, what ought to have been impartial code storage successfully turned an unintentional credential retailer and entry map, exposing delicate materials that could possibly be used as legitimate authentication vectors throughout buyer environments.
The dangers of NHI cannot be ignored.
Let’s return to the Flare analysis that uncovered over 10,000 container photographs associated to over 100 organizations and contained hundreds of reside keys. Under, you may see an extra breakdown of the secrets and techniques discovered:
| Class | Docker Hub Accounts | That means |
|---|---|---|
| AI | 191 | AI API’s Grok/Gemini, and so on. |
| CLOUD | 127 | AWS/Azure/GCP/Cosmos/RDS secrets and techniques |
| DATABASE | 89 | Mongo / Postgres / Neon / ODBC / SQL creds |
| ACCESS | 103 | JWT / SECRET_KEY / APP_KEY / encryption |
| API_TOKEN | 157 | Generic 3rd-party API keys |
| SCM_CI | 44 | GitHub / Bitbucket / NPM / Docker |
| COMMUNICATION | 31 | SMTP / Sendgrid / Brevo / Slack / Telegram |
| PAYMENTS | 21 | Stripe / Razorpay / Cashfree / SEPAY |
So why do container photographs include keys within the first place? As a result of to operate, construct, and function, they need to authenticate to many various environments – cloud platforms, APIs, databases, CI/CD programs, and inner providers.
Since this entry is carried out by software program quite than individuals, it depends on non-human identities similar to tokens, API keys, and repair accounts. These machine identities at the moment are deeply embedded within the trendy software program growth lifecycle and manufacturing infrastructure, powering all the pieces from code builds to utility runtimes behind the on a regular basis know-how all of us use.
Non-human identities have change into one of the crucial crucial (and least understood) pillars of the trendy software program growth lifecycle. Each construct, take a look at, deployment, and manufacturing workflow now runs on machine-to-machine authentication: CI runners pulling code, pipelines pushing containers, cloud providers provisioning infrastructure, functions calling APIs, and fashions querying knowledge.
These processes don’t log in with usernames and passwords, as a substitute they depend on tokens, API keys, service accounts, OAuth apps, and workload identities that function repeatedly, usually with broad and protracted privileges.
Not like human customers, these identities don’t change jobs, don’t get phished, and don’t neglect passwords, which is precisely what makes them harmful when uncovered. In a paradoxical means, a non-human identification can far outlive the human who created it.
The admin-level tremendous key issued by a senior DevOps engineer 5 years in the past (who might now be the CTO of a fast-growing startup) is usually nonetheless alive, totally privileged, and quietly ready within the shadows.
Not like individuals, these machine identities don’t change roles, depart the corporate, or get deprovisioned until somebody explicitly remembers to take action, making them a number of the most persistent and harmful artifacts in trendy infrastructure.
If a non-human identification leaks right into a repository, container picture, or log file, it will possibly grant attackers silent, sturdy, and legit entry deep into a company’s software program growth lifecycle (SDLC), usually bypassing detection solely as a result of all the pieces appears to be like like regular automation.
In at this time’s cloud-native world, controlling non-human identities is now not a hygiene activity – it’s the safety boundary of the SDLC itself.
What This Means for Safety Groups and Incident Response
The important thing takeaway from this incident is easy: Attackers are already authenticating with leaked secrets and techniques present in public container registries. This isn’t a theoretical threat – it’s taking place now.
We must deal with non-human identities as human identities and monitor their conduct, restrict their entry, and delete them when they’re now not wanted.
For defenders, the crucial is evident:
-
Deal with container photographs like code AND credentials. They’re now not simply deployable artifacts — they’re potential leak vectors for delicate keys.
-
Combine automated secret scanning at each stage of the SDLC. Catch leaks earlier than photographs are pushed wherever public.
-
Undertake short-lived, ephemeral credentials backed by identification federation quite than long-lived tokens baked into photographs.
-
Monitor for uncovered keys in public registries and revoke them proactively – don’t look ahead to an attacker to misuse them.
Thankfully, the safety business has responded with specialised tooling. Platforms designed for Menace Publicity Administration—similar to Flare and related options—repeatedly scan public registries and code repositories for uncovered credentials, map them to actual assault surfaces, and allow fast remediation.
For organizations managing hundreds of non-human identities throughout their SDLC, automated detection and revocation capabilities are now not optionally available.
Be taught extra by signing up for our free trial.
Sponsored and written by Flare.
