The Lesson Behind the GitLab Leak and Why Credentials Keep Slipping Through

When a security researcher scanned every public GitLab Cloud repository—more than 5.6 million projects—he uncovered over 17,000 live, verified secrets. Not old, harmless leftovers, but credentials still active, including some dating back to 2009. Google Cloud keys, MongoDB passwords, Telegram bot tokens, OpenAI keys, GitLab tokens, that were spread across more than 2,800 domains.

This incident reveals how vulnerable the modern attack surface is. Secrets are now everywhere: in repositories, cloud services, SaaS platforms, automation scripts, internal tools, and shared workspaces. They multiply faster than teams can track them, and once exposed, they can remain active for years.

The GitLab incident didn’t expose a one-off mistake. It exposed a system-wide problem.

Why This Wasn’t A One-off Event

The scale made headlines, but the underlying issues are familiar to nearly every organization:

• Developers work across multiple platforms and services.
• Teams share code, templates, and configurations at high velocity.
• OAuth connections tie SaaS apps together in ways no one fully inventories.
• Keys are generated quickly and rarely retired.
• Monitoring tools don’t always track which secrets remain valid or what systems they can reach.

The result is a quiet, ongoing expansion of credential sprawl. What the researcher found in 24 hours (on a single platform) is likely happening everywhere. Secrets don’t leak because of one bad process. They leak because modern digital ecosystems generate them constantly.

Leaked Secrets Are Far More Dangerous Today

Credentials have always been sensitive, but their impact has changed dramatically in the last few years. Attackers no longer need a vulnerability to break in. A single token can be enough to:

• Access a cloud tenant or database
• Pull sensitive data from managed services
• Interact with third-party apps connected through OAuth
• Trigger automation services with elevated permissions
• Read or modify configurations stored in SaaS platforms

The GitLab scan showed something even more worrying: old secrets don’t fade away. Some keys were over a decade old and still active. Once a credential is created, it can outlive the project, the team, or even the system that generated it. Long-lived access combined with poor visibility creates the perfect conditions for compromise.

The Hidden Surfaces Where Secrets Accumulate

Public repositories are the most visible place for credential leaks, but far from the only one. Today’s credentials quietly accumulate across: 

• SaaS platforms and OAuth connections
  Employees connect tools freely—email, documents, collaboration apps, notes, analytics dashboards. Each connection generates access tokens with varying scopes, often broader than necessary.
• Cloud service accounts and access keys
  Inactive or abandoned access keys remain valid for months or years, even when the workloads that used them no longer exist.
• App-to-app tokens across internal and third-party tools
  Machine access is growing, but the inventory of those access paths hasn’t kept pace.
• Shared automation scripts and system configurations
  Teams often reuse templates or internal scripts that quietly carry embedded keys.

The truth: credentials now live in more places than any security team can manually track.

Where Security Teams Struggle Most

The GitLab leak resonates because it mirrors daily challenges inside organizations:

• No unified inventory
  Teams rarely have a single, unified view of every active credential across cloud and SaaS environments.
• No context for risk
  A leaked token might be read-only—or it might allow full administrative actions. Without context, prioritization becomes guesswork.
• Long-lived, forgotten access
  Keys created for a quick test or temporary workflow often remain valid long after the original use case is forgotten.
• Hidden over-permissioned access
  Even valid secrets may grant far more access than intended, expanding the blast radius if attackers obtain them.
• Thousands of alerts, but little clarity
  Traditional scanners generate noise, leaving security teams unclear on which exposures matter most.

It’s not that organizations ignore the problem. It’s that modern environments produce more credentials than legacy tools were ever designed to monitor.

How CheckRed Solves the Underlying Problem

CheckRed takes a platform-level approach. Instead of looking only at repositories, it provides visibility into every credential across cloud and SaaS ecosystems, and—critically—what those credentials can reach.

With CheckRed, security teams can:

• Detect leaked or publicly exposed credentials
  Continuous monitoring across public surfaces, misconfigured assets, SaaS integrations, and cloud environments.
• Map where those credentials originate and what they can access
  A key isn’t just a string; it’s a pathway. CheckRed identifies the systems, data, and permissions that each credential can reach.
• Identify long-lived or unused secrets
  Stale credentials are flagged so teams can revoke or rotate them before they become liabilities.
• Uncover over-permissioned keys and tokens
  Excessive access is a major source of risk. CheckRed highlights credentials that grant more privilege than required.
• Monitor SaaS connections
  Third-party app connections often go unnoticed. CheckRed provides visibility into which third-party apps are connected, who authorized them, and what they can access.
• Guide remediation based on risk, not noise
  By correlating credential activity, permission scope, and exposure paths, CheckRed prioritizes alerts to help teams focus on the access that truly threatens their environment.

The outcome isn’t more alerts—it’s decisive clarity.

A Final Takeaway for Security Leaders

The GitLab incident wasn’t an anomaly. It was a snapshot of a bigger, persistent problem: credentials are proliferating faster than organizations can control them, and attackers know it.

Every exposed key—no matter how small—represents an entry point. 

Every long-lived token represents a forgotten pathway. 

And every overlooked SaaS integration represents access that no one is actively watching.

CheckRed helps organizations uncover, map, and reduce this expanding credential attack surface across their cloud and SaaS environments—so exposures are found internally, before attackers find them first.