5 minutes. That's how long it took. A security researcher publishes an AWS access key on a public GitHub repository. They do it on purpose, as an experiment. Five minutes later, someone was already using it to mine cryptocurrency. Five. Minutes. There are bots scanning GitHub 24/7 looking for exactly that: exposed credentials. And they're fast. Much faster than you realizing you screwed up. The numbers are scary According to GitHub, 39 million secrets were leaked in public repositories in 2024. A 67% increase from the previous year. GitGuardian, which specializes in scanning exactly this, found 23.7 million new secrets just in public repos. And the worst part: 70% of secrets detected in 2022 were still active in 2024. Two years later. Still working. Waiting for someone to use them. It's not just random people Toyota had AWS credentials exposed on GitHub that gave access to their vehicle telematics system. Pearson lost data because someone left a GitLab token in a configuration file.…