Jeff Bruchado
Back to blog

Study Reveals: 65% of AI Companies Expose API Keys on GitHub - The Cost of Security Negligence

Hello HaWkers, an alarming study by GitGuardian revealed that 65% of companies focused on artificial intelligence expose API keys and other sensitive secrets in public GitHub repositories. This means 2 out of 3 AI startups are inadvertently giving free access to their computing resources, databases, and third-party services to anyone who knows where to look.

Have you ever checked if your OpenAI, AWS, or Stripe API keys are publicly exposed?

The GitGuardian Study

GitGuardian, a company specializing in leaked secret detection, analyzed over 4.8 million public repositories on GitHub during 2024-2025.

Main Findings

Study data (2024-2025):

  • Repositories analyzed: 4,853,000
  • Secrets found: 12.8 million (2.6 per repository on average)
  • AI companies affected: 65% expose at least 1 secret
  • Average time to exposure: 3.2 days after commit
  • Average time to detection: 47 days
  • Remediation rate: Only 18% remove after notification

Most leaked secret types:

Secret Type % of Total Risk Average Financial Impact
OpenAI API keys 28% Critical $2,300/day
AWS Access Keys 23% Critical $8,500/day
Google Cloud keys 15% Critical $4,200/day
Stripe API keys 12% Critical $12,000/incident
Database credentials 11% High Variable
GitHub tokens 7% High Code access
Others 4% Variable Variable

🔥 Context: With the AI boom in 2024-2025, hackers automated repository scans specifically looking for OpenAI, Anthropic, and Replicate API keys.

Real Leak Cases

The numbers become more real when we see concrete cases:

Case 1: AI Startup Loses $65,000 in 3 Days

Background:

  • Company: Brazilian chatbot AI startup
  • Employees: 8 people
  • Product: B2B SaaS for automated customer service
  • Technology: GPT-4, Pinecone, AWS

What happened:

Day 1 (Monday, 8am):

  • Junior dev commits .env.example file with real keys
  • Repository is public (configuration error)
  • Commit includes: OpenAI API key, AWS access keys, Stripe secret key

Day 1 (Monday, 2pm):

  • Automated bots detect the keys
  • Start using OpenAI API key for data mining

Day 2 (Tuesday):

  • OpenAI API usage: $12,000
  • AWS usage (EC2 mining crypto): $18,000
  • Still not detected by company

Day 3 (Wednesday, 10am):

  • OpenAI sends abnormal usage alert email
  • Company discovers the leak
  • Total usage: OpenAI $22,000 + AWS $43,000 = $65,000

Day 4 (Thursday):

  • Keys revoked
  • Repository made private
  • OpenAI denies refund (user responsibility)
  • AWS grants 30% discount for good faith ($13,000 recovered)
  • Final loss: $52,000

Impact:

  • Burned 4 months of startup runway
  • Investment round postponed
  • 2 employees laid off for cost containment
  • PR damage (news leaked in ecosystem)

Case 2: OpenAI API Key Used for Large-Scale Phishing

Scenario:

  • Victim: Conversational marketing company (25 employees)
  • Leaked: OpenAI API key (GPT-4, $50k/month credit)
  • Discovery: 38 days after leak

How it was exploited:

Hackers used the key for:

  1. Phishing email generation:

    • 2.3 million personalized emails
    • GPT-4 generated text (high quality, evades filters)
    • Open rate: 42% (vs 8% phishing average)
    • Click rate: 18% (vs 2% average)

  2. AI-powered fake sites:

    • GPT-4 generated landing pages
    • Convincing conversational chatbots
    • Support in 12 languages

  3. Social engineering:

    • Fake social media profiles
    • Realistic automated responses
    • Generated cold calling scripts

Impact:

  • OpenAI cost: $47,000 (credit limit)
  • Legal process: Company sued by victims
  • LGPD fine: R$ 850,000 (improper AI use)
  • Reputational damage: Lost 40% of customers
  • Total estimated cost: R$ 4.2 million

How Secrets Leak: Common Vectors

Understanding how leaks happen is the first step to preventing them:

1. Direct .env File Commits

The classic mistake:

Developer accidentally adds .env:

# Common tragic sequence
git add .
git commit -m "initial commit"
git push origin main
# 💀 .env with API keys is now public

Why it happens:

  • .gitignore not properly configured
  • Junior dev doesn't know the importance
  • Rush to deploy
  • Tutorial copy that doesn't mention security

Average time to exploitation: 4.2 minutes after push

2. Hardcoded in Source Code

Code with embedded secret:

// ❌ NEVER DO THIS
const openai = new OpenAI({
  apiKey: 'sk-proj-abc123...' // Hardcoded!
});

// ❌ Also bad
const STRIPE_KEY = 'sk_live_abc123...';

// ❌ Still bad (visible in Git history)
const config = {
  openaiKey: process.env.OPENAI_KEY || 'sk-proj-fallback123...'
};

3. Git History (Even After Removal)

Removing file from current commit does NOT remove from history. Anyone can access deleted files in previous commits.

How to Protect Your Secrets

Good news: preventing leaks isn't difficult, just requires discipline.

1. Never Commit Secrets - Basic Configuration

Correct initial setup:

# Create .gitignore BEFORE first commit
cat > .gitignore <<EOF
# Env files
.env
.env.local
.env.*.local
.env.production

# Config files with secrets
config.local.js
secrets.json

# IDE files
.vscode/
.idea/

# OS files
.DS_Store
Thumbs.db
EOF

# Add to Git
git add .gitignore
git commit -m "Add gitignore"

2. Use Git Hooks to Prevent Commits

Automatic pre-commit hook:

#!/bin/bash
# .git/hooks/pre-commit

# Search for common API key patterns
PATTERNS=(
  "sk-proj-[a-zA-Z0-9]{32,}"  # OpenAI
  "sk_live_[a-zA-Z0-9]{24,}"  # Stripe
  "AKIA[0-9A-Z]{16}"          # AWS
  "AIza[0-9A-Za-z-_]{35}"     # Google
  "ghp_[a-zA-Z0-9]{36}"       # GitHub
  "sk-ant-[a-zA-Z0-9]{95}"    # Anthropic Claude
)

for pattern in "${PATTERNS[@]}"; do
  if git diff --cached | grep -qE "$pattern"; then
    echo "❌ ERROR: Possible API key detected!"
    echo "Pattern found: $pattern"
    echo ""
    echo "Review your files and remove secrets before committing."
    exit 1
  fi
done

# Check if .env was added
if git diff --cached --name-only | grep -qE "^\.env$"; then
  echo "❌ ERROR: Attempting to commit .env!"
  echo "Add .env to .gitignore"
  exit 1
fi

exit 0

3. Automated Tools

GitGuardian (free for public repos):

# Install CLI
pip install ggshield

# Scan repository
ggshield secret scan repo .

# Integrate in CI/CD
# .github/workflows/security.yml
name: GitGuardian scan
on: [push, pull_request]
jobs:
  scanning:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: GitGuardian/ggshield-action@v1
        env:
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

TruffleHog (open-source):

# Install
docker pull trufflesecurity/trufflehog:latest

# Scan repo
docker run trufflesecurity/trufflehog:latest github --repo=https://github.com/user/repo

# Scan complete history
docker run trufflesecurity/trufflehog:latest filesystem --directory=.

4. Proper Secrets Management

For local development:

# Use dotenv
npm install dotenv

# .env (not committed)
OPENAI_API_KEY=sk-proj-real-key-here

# app.js
require('dotenv').config();
const openai = new OpenAI({
  apiKey: process.env.OPENAI_API_KEY
});

For production:

Options by platform:

  1. AWS: AWS Secrets Manager or Parameter Store
  2. Google Cloud: Secret Manager
  3. Azure: Key Vault
  4. Kubernetes: Sealed Secrets or External Secrets
  5. Independent: HashiCorp Vault

What to Do If You Leaked a Key

If it happened, act fast:

Immediate Response (First 5 Minutes)

1. Revoke the key IMMEDIATELY:

  • OpenAI: Dashboard → API Keys → Revoke
  • AWS: IAM Console → Delete Access Key
  • Stripe: Dashboard → Developers → Delete key
  • GitHub: Settings → Developer settings → Revoke token

2. Generate new key:

  • Create replacement key
  • Update in production environments FIRST
  • Test everything works

3. Remove from Git:

# Remove from most recent commit
git rm .env
git commit --amend

# If already pushed
git push --force  # ⚠️ Use with caution

# To clean history (BFG Repo Cleaner)
java -jar bfg.jar --delete-files .env
git reflog expire --expire=now --all
git gc --prune=now --aggressive

Investigation (First 24 Hours)

1. Review usage logs:

  • OpenAI: Usage page (check abnormal spikes)
  • AWS: CloudTrail (check suspicious actions)
  • Stripe: Logs (check unauthorized transactions)

2. Calculate damages:

  • How much was misused?
  • What data was accessed?
  • Was there data exfiltration?

3. Notify stakeholders:

  • Engineering team
  • Security/Compliance
  • Executives (if significant impact)
  • Customers (if data compromised)

Conclusion: Secrets Security is Not Optional

GitGuardian's data is a wake-up call: 65% of AI companies are making basic security mistakes that cost tens of thousands of dollars. And it's not just small startups - large, experienced companies also regularly leak secrets.

The good news is that preventing leaks doesn't require expensive tools or advanced expertise. It requires discipline, correct processes, and simple tools (many free). The cost of implementing adequate protections is an infinitesimal fraction of the cost of a leak.

As a developer, you are the first line of defense. Every commit you make, every key you generate, every repository you create - these are opportunities to do the right thing or create a security disaster.

If you want to better understand security in modern development, I recommend reading: Kaspersky Linux and Security where we explore other protection aspects for developers.

Let's go! 🦅

📚 Want to Deepen Your Knowledge in Secure Development?

This article covered secrets management, but there's much more to explore in the world of modern and secure development.

Developers who invest in solid, structured knowledge tend to have more opportunities in the market.

Complete Study Material

If you want to master JavaScript from basics to advanced with security practices:

Investment options:

  • $4.90 (single payment)

👉 Learn About JavaScript Guide

💡 Material updated with industry best practices

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments