Your developer pushed an API key to GitHub 3 years ago. A bot scraped it last night. Your database is now on a forum.
May 23, 2026 β 7 min read β Pedro Jose
It was a Tuesday. A developer was debugging a payment integration. They needed to test the webhook endpoint. Instead of using environment variables, they hardcoded the API key into config.py. They committed. They pushed. They moved on.
That was 1,095 days ago.
Last night, at 3:14 AM, a bot scanning GitHub for leaked secrets found that commit. It extracted the Stripe secret key β sk_live_4eC39HqLyjWDarjtT1zdp7dc β and sent it to a Telegram channel. 20 minutes later, the attacker used it to list every customer, download payment logs, and refund 5,000 transactions to their own card.
Your database is now on a forum. Your customers are on the phone. Your CISO is updating their resume.
β‘ THE HARD TRUTH
Secrets in GitHub are not a matter of “if” β they’re a matter of “when.” Attackers run automated scans 24/7, searching for AWS keys, Stripe tokens, database passwords, and Slack webhooks. The moment your secret touches a public repo, the clock starts ticking.
Secrets in GitHub are not a matter of “if” β they’re a matter of “when.” Attackers run automated scans 24/7, searching for AWS keys, Stripe tokens, database passwords, and Slack webhooks. The moment your secret touches a public repo, the clock starts ticking.
The Timeline β From Commit to Catastrophe
1οΈβ£
3 years ago
Developer hardcodes
Developer hardcodes
STRIPE_SECRET_KEY = "sk_live_..." into config.py. Pushes to public GitHub repo. Doesn’t notice. Never looks back.
2οΈβ£
Last night, 3:14 AM
A bot running
A bot running
truffleHog or gitleaks scans recent commits. Finds the key in a 3βyearβold commit. Extracts it. Posts to a private Telegram channel with 12,000 members.
3οΈβ£
3:18 AM
An attacker uses the key to list all Stripe customers via API. Downloads email addresses, names, and payment methods.
An attacker uses the key to list all Stripe customers via API. Downloads email addresses, names, and payment methods.
4οΈβ£
3:22 AM
Attacker issues refunds to their own test card. 5,000 transactions reversed. $247,000 drained from your merchant account.
Attacker issues refunds to their own test card. 5,000 transactions reversed. $247,000 drained from your merchant account.
5οΈβ£
4:00 AM
Your fraud alert triggers. You wake up to 500 angry customer emails. Your Stripe account is frozen. Your CFO is asking what happened.
Your fraud alert triggers. You wake up to 500 angry customer emails. Your Stripe account is frozen. Your CFO is asking what happened.
π THE MATH
1 hardcoded key + 1 public repo + 1 bot + 3 years of neglect = $247,000 stolen + 5,000 customer records leaked + 3 regulatory filings + 1 lost CISO.
The fix would have taken 2 minutes: use environment variables, never commit secrets.
1 hardcoded key + 1 public repo + 1 bot + 3 years of neglect = $247,000 stolen + 5,000 customer records leaked + 3 regulatory filings + 1 lost CISO.
The fix would have taken 2 minutes: use environment variables, never commit secrets.
Why This Keeps Happening
- “It’s just for testing.” β Test keys become prod keys. Then they become leaked keys.
- “I’ll remove it in the next commit.” β You won’t. Git history is forever.
- “No one will look at old commits.” β Bots look at every commit. Every branch. Every fork. Every PR.
- “Our repo is private.” β Private repos get leaked. Compromised accounts happen. Malicious insiders exist.
π§ THE SCARY PART
GitHub has 400+ million repositories. Attackers don’t need to guess which one has secrets β they scan them all. Tools like
GitHub has 400+ million repositories. Attackers don’t need to guess which one has secrets β they scan them all. Tools like
truffleHog and git-secrets can scan thousands of repos per hour. Your 3βyearβold mistake is only 300 milliseconds away from being found.
The Secrets Most Commonly Found in Git History
- AWS access keys β
AKIA...β full cloud account takeover - Stripe / PayPal API keys β drain funds, expose customer PII
- Database connection strings β
postgres://user:pass@host/dbβ your entire data - Slack webhooks β send spam, phishing links, or internal leaks
- GitHub personal access tokens β push to any repo you have access to
- SSH private keys β jump from code to infrastructure
- JWT secrets β forge any user session, become admin
# Common secret patterns that bots look for
AKIA[0-9A-Z]{16} # AWS access key
sk_live_[0-9a-zA-Z]{24} # Stripe live key
—–BEGIN RSA PRIVATE KEY—– # SSH private key
mongodb://[^/]+@ # MongoDB connection string
password=[‘”][^'”]+[‘”] # Any hardcoded password
What You Need To Do Right Now
1. Scan Your Entire Git History β Not Just HEAD
# Install truffleHog
pip install truffleHog
# Scan your repo (all commits, all branches)
trufflehog git https://github.com/your-org/your-repo.git
# Scan all org repos (requires GitHub token)
trufflehog github –org=your-org
2. Rotate Every Leaked Secret β Immediately
- AWS: Delete the old key, create a new one via IAM
- Stripe: Regenerate the secret key, update all environments
- Database: Change the password, restart all connections
- Slack: Revoke the webhook, create a new one
3. Remove the Secret from Git History (Not Just the Latest Commit)
# Option 1: BFG Repo-Cleaner (faster)
java -jar bfg.jar –replace-text replacements.txt your-repo.git
# Option 2: git filter-branch (slower but built-in)
git filter-branch –force –index-filter \
“git rm –cached –ignore-unmatch config.py” \
–prune-empty –tag-name-filter cat — –all
# Force push after cleaning
git push origin –force –all
Warning: Rewriting history breaks all forks and local clones. Coordinate with your team first.
4. Enable Secret Scanning on GitHub (if you’re on a paid plan)
GitHub’s native secret scanning alerts you within minutes when a secret is pushed β not years later when a bot finds it. Turn it on today.
5. Add PreβCommit Hooks to Block Secrets at the Source
# Install git-secrets
git secrets –install
git secrets –register-aws
# Add custom patterns
git secrets –add ‘sk_live_[0-9a-zA-Z]{24}’
git secrets –add ‘password=[“\’].*[“\’]’
π THE BOTTOM LINE
Your developer pushed an API key 3 years ago. You didn’t know. Your security team didn’t scan. Your auditor didn’t check.
A bot found it last night. Your database is now on a forum.
Stop trusting your team to never make mistakes. Start scanning your history before someone else does.
Your developer pushed an API key 3 years ago. You didn’t know. Your security team didn’t scan. Your auditor didn’t check.
A bot found it last night. Your database is now on a forum.
Stop trusting your team to never make mistakes. Start scanning your history before someone else does.
How a Code Security Review Would Have Prevented This
A proper code security review includes:
- β Scanning git history for leaked secrets (not just current code)
- β Reviewing environment variable usage vs. hardcoded values
- β Auditing IAM roles and key permissions (least privilege)
- β Implementing preβcommit hooks in CI/CD pipelines
- β Training developers on secret management best practices
You don’t need to catch every mistake. You need a system that catches the one mistake that kills your business.
π¦π
Your git history is leaking secrets right now.
Full code security review: β¬1,500. Infrastructure pentest: β¬3,000. Security retainer: β¬1,500/month.
π© DM @StackOfTruths on XFree 15βmin consultation. No hard sell. Just honest answers about your secret exposure.
Leave a Reply