Skip to content

Secrets Management — Trivia & Interesting Facts

Surprising, historical, and little-known facts about secrets management.

GitHub found over 10 million secrets leaked in public repositories in a single year

In 2023, GitHub's secret scanning service detected over 10 million secrets — API keys, tokens, and credentials — committed to public repositories. This was a 67% increase from the previous year. GitHub began auto-revoking certain token types (like GitHub PATs) immediately upon detection.

The Uber breach in 2016 exposed data through a hardcoded AWS key in a GitHub repo

In 2016, attackers found AWS credentials hardcoded in an Uber engineer's private GitHub repository. They used those credentials to access an S3 bucket containing personal data of 57 million users and 600,000 drivers. Uber paid the hackers $100,000 through their bug bounty program to delete the data and keep quiet — a decision that later cost the CISO a criminal conviction.

HashiCorp Vault was born because the alternative was "encrypted Excel spreadsheets"

HashiCorp co-founder Mitchell Hashimoto has spoken about how, before building Vault in 2015, many organizations literally stored secrets in encrypted spreadsheets, password-protected Word documents, or sticky notes. Vault introduced dynamic secrets — credentials generated on-demand with automatic expiration — which was a paradigm shift in how the industry thought about secret lifecycle.

AWS IAM was launched with no way to rotate access keys automatically

When AWS IAM launched in 2010, there was no built-in mechanism for automatic key rotation. Users had to manually generate new keys, update all applications, and delete old keys. It took years before AWS introduced features like STS temporary credentials and IAM Roles for EC2 to address this fundamental gap.

The 2013 Adobe breach exposed 153 million passwords because they used ECB mode encryption

Adobe stored passwords using 3DES encryption in ECB (Electronic Codebook) mode instead of proper hashing. ECB encrypts identical plaintexts to identical ciphertexts, meaning researchers could identify the most common passwords by frequency analysis alone — without ever breaking the encryption. The top password was "123456," used by nearly 2 million accounts.

Environment variables became a secret storage standard because of a 2012 blog post

The Twelve-Factor App methodology, published by Heroku co-founder Adam Wiggins in 2012, popularized storing configuration (including secrets) in environment variables. While this was better than hardcoding, security researchers later pointed out that environment variables are inherited by child processes, visible in /proc on Linux, and often logged in crash dumps.

Certificate authorities have accidentally issued certificates for google.com

In 2011, DigiNotar, a Dutch certificate authority, was compromised and the attackers issued fraudulent SSL certificates for google.com and dozens of other domains. The fake Google certificate was used to intercept Gmail traffic of Iranian users. DigiNotar went bankrupt within months. This incident accelerated the development of Certificate Transparency logs.

Kubernetes Secrets are not actually secret by default

Kubernetes Secrets are stored as base64-encoded (not encrypted) values in etcd by default. Anyone with API access or direct etcd access can read them trivially. Encryption at rest for etcd was not enabled by default until much later, and many production clusters still run with unencrypted Secrets. This remains one of the most common Kubernetes security misconceptions.

The average enterprise has over 5,000 secrets sprawled across their environment

A 2023 study by 1Password found that the average enterprise has roughly 5,200 secrets (API keys, tokens, certificates, passwords) scattered across code repositories, CI/CD pipelines, configuration files, and cloud services. Only about 30% of these are actively managed through a dedicated secrets management tool.

Hardware Security Modules can cost over $50,000 each

Enterprise-grade HSMs (Hardware Security Modules) from vendors like Thales and Entrust cost between $20,000 and $100,000 per unit. Cloud HSM services like AWS CloudHSM charge around $1.50/hour ($13,000/year) per HSM instance. Despite the cost, they are required by PCI DSS for storing payment card encryption keys.