.svg)
.svg){kind=small}
This year's report offers a look at what changed, what stayed the same, and where you can find a little hope in the quest for effective secrets management. While other reports focus on code repositories, Nightfall detects secrets across numerous mission critical SaaS apps and endpoints, giving a more comprehensive picture of leakage trends throughout the development lifecycle. We found secrets in ticketing apps, messaging and collaboration tools, cloud workspaces, and yes, code repositories. Access the full report to see what key risks you may be facing, detailed analyses, and emerging trends in this year's findings.
API Keys + Passwords Emerge as the Dominant Security Threat in 2025
The latest State of Secrets Exposure Report from Nightfall AI reveals a continuing and highly concerning trend in the data security landscape, with API keys and passwords together comprising the majority of all secret exposures–96.4%. This pervasive issue highlights the need for a critical pivot point in how organizations strategically address internal secret sprawl.
The Rise of Nonhuman Identity Vulnerabilities
The predominance of API key exposures in recent years represents more than just a statistical anomaly. It's a clear indicator of how modern cloud-native architectures and the race to develop AI-enabled software have transformed enterprise environments. Per usual, attackers are standing at the ready to exploit any security oversight, or in this case exposed secret, that will give them access to your most valuable assets. In this vein, cloud infrastructure keys pose particularly severe risks, as a single compromised credential can provide attackers access to your most sensitive environments.
Most concerning is the potential for cascade effects: compromised credentials don't just affect the original organization but can be weaponized to launch sophisticated attacks against multiple targets. One leaked key could lead to very serious security incidents if found by a malicious actor.
Passwords Are Still an Issue
As a high-entropy data type passwords can be tricky to detect. After all, they're intended to be highly unpredictable. While they carry less risk than an active API key if exposed, passwords can still be the key to catastrophic attacks if they grant a threat actor access to a really juicy target–or if they can be used to conduct lateral movement and/or privilege escalation.
Unfortunately, generic detectors and legacy DLP tools are still going to struggle to find and remediate exposed passwords, making them an unreliable security layer. Unlike structured data types like social security numbers or credit card information that can be discovered with legacy DLP built on regular expressions (regex) and matching, passwords are extremely prone to false positives that can overwhelm and distract security teams. This highlights the need for a valid strategy to detect and remediate passwords, which may include tool upgrades to gain more advanced secrets detection engines.
Corporate AI Rollouts: A New Battlefield
As organizations rapidly integrate AI technologies, a new vulnerability vector has emerged. Corporate Large Language Model (LLM) API keys have become prime targets for attackers seeking to:
- Exploit computational resources
- Access valuable training data
- Potentially compromise AI system integrity
This trend is expected to accelerate as generative AI adoption continues to grow across industries. Security teams are busy with a host of basic security measures and architectural techniques that enable them to prevent violations of privacy laws when processing sensitive data. The speed and stress of these rollouts, however, can distract teams from realizing the need for proactive measures throughout the development lifecycle, including keeping API keys for LLMs out of their project management, ticketing, and other collaboration SaaS apps.
Our prediction for next year is that this key type will continue to grow in the percentage of exposed keys in organizations moving so quickly with tech rollouts that they may become more prone to secret leaks. It's recommended to focus on proactive ways to harden organizations' security posture, such as implementing automated tools capable of detecting and remediating valid occurrences of key exposure to improve data hygiene. Keeping non-revoked secrets out of systems is the best assurance: no data, no theft.
The Winner for Most Ironic Secret Exposed Goes to...
In a revealing twist, the report identified frequent exposures of API keys to cybersecurity platforms. This finding emphasizes that even security-conscious organizations aren't immune to credential exposure risks. It serves as a stark reminder that security excellence requires constant vigilance in data hygiene, regardless of an organization's security maturity. Security initiatives are just as vulnerable as any other IT initiative when it comes to anticipating and mitigating major security risks. These are the types of secrets attackers would relish in using against their targets.
The Good News: User-led Remediation Works.
Despite the challenges with API keys, there's encouraging news. User-led remediation coupled with in-context employee training has shown marked improvement, with Nightfall clients showing a dramatic 44% reduction in password exposures in cloud workspaces and SaaS platforms. This success demonstrates the effectiveness of user-centered security approaches and suggests a model for addressing API key vulnerabilities as an urgent issue in Insider Risk Management.
In contrast with lackluster outcomes of legacy security awareness campaigns that often include training videos and simulated phishing attacks, user-led remediation with in-context training helps users on two fronts: 1) it ties understanding to a specific action taken by the employee minutes or seconds beforehand, rather than presenting out-of-context hypothetical scenarios and 2) it empowers end-users to fix their own errors. A recent study conducted by researchers at UC San Diego and the University of Chicago evidenced the value of what they term "embedded training," or training that is set within the context of specific work tasks–the same approach Nightfall uses.
Embedded, end-user security training also increases engagement, a sense of belonging, and participation in building a culture of cybersecurity. In turn, this supports proactive reduction of insider risk by creating what could be termed a human firewall. If the average company could see vast improvements in data hygiene, not only could their security teams point to measurable ROI on tool investments and programs, but they can significantly decrease their occurrences of secrets exposure.
UAM tools aren't designed to detect secrets.
If your organization has implemented user activity monitoring tools to track employee behavior as it relates to sensitive data handling, look at evidence of improvement. Are user data handling practices getting better over time? If you don't have enough data, accurate detection, and context to answer that question, that could also be a hint that UAM tools aren't really sufficient to address secrets sprawl in any substantive way.
Recommendations for Organizations
Implement Robust API Key Management
- Establish strict key rotation policies to reduce chances of an attacker finding valid secrets.
- Deploy automated key exposure monitoring with data detection and response.
- Train users with user-led remediation and in-context training.
- Implement least-privilege access principles and monitor for changes in access settings.
Enhance AI Infrastructure Security
- Create specific security protocols for AI-related credentials, especially across engineering and development teams.
- Monitor computational resource usage patterns.
- Protect training data access points.
Strengthen Your Cybersecurity Culture
- Take an in-depth look at your current security strategy and tech stack, measuring for for ROI and efficacy.
- Extend password security practices to API key management.
- Approach future security awareness programs with an eye for in-context skills learning and application, versus training videos and predictable simulations.
- Engage employees in meaningful remediation activities, using an adaptable approach to building a culture of security.
- Foster a proactive security mindset across technical teams.
Deprecate Legacy DLP and Upgrade
- Manual processes and time-consuming management limit the effectiveness of existing DLP.
- Seek out and test detection models with powerful capabilities in finding unstructured data accurately.
- Centralize alert management either by leveraging a tool that offers an easy to use, central dashboard for investigations, remediation, and analysis, or integrate your DLP with SIEM.
Looking ForwardAs we progress through 2025, organizations must adapt to this evolving threat landscape. The focus must shift from traditional password-centric security models to comprehensive credential management strategies that address the unique challenges of API keys, particularly in AI and cloud environments.
Organizations' success in reducing password exposures provides a blueprint for addressing API key vulnerabilities. By applying these lessons and maintaining vigilant monitoring, organizations can better protect their digital assets in an increasingly complex security landscape.
To learn more, download the full report.
.svg)
.svg)
.svg){kind=small}
.svg)
.svg){kind=small}
