The .env File Breach Tracker

Attackers compromised the popular GitHub Action, injecting malicious code that dumped CI/CD secrets to build logs of 23,000+ downstream repos.

A GitLab token exposed in source code allowed attackers to access the Internet Archive's infrastructure, compromising 31 million user records.

Attackers accessed the Dropbox Sign (formerly HelloSign) production environment via a compromised service account, stealing API keys and OAuth tokens.

Researchers found over 10,000 Docker Hub images leaking secrets including AWS keys, GitHub tokens, and private SSH keys embedded in image layers.

FBI and CISA issued a joint advisory on the Androxgh0st malware that specifically targets exposed .env files to steal cloud credentials and abuse SMTP.

A GitHub token left in a public repository gave unrestricted access to Mercedes-Benz's entire internal GitHub Enterprise, exposing source code and credentials.

Azure CLI was found to log credentials in plaintext to CI/CD pipeline logs, including secrets passed via environment variables.

A CircleCI engineer's laptop was compromised, giving attackers access to customer secrets stored in the CI/CD platform. All customers were told to rotate secrets.

The Lapsus$ group leaked 190GB of Samsung source code containing over 6,600 hardcoded secrets including private keys, credentials, and API tokens.

Stolen Heroku and Travis CI OAuth tokens were used to access private GitHub repos of dozens of organizations, including npm's internal packages.

The Lapsus$ group breached Nvidia and leaked 1TB of data including source code, employee credentials, and code-signing certificates.

Attackers stole Slack employee tokens from an external GitHub repository and used them to access Slack's private code repositories.

A GitHub access key was accidentally left in a public repository for nearly 5 years, exposing the personal data of 296,019 T-Connect customers.

An anonymous hacker leaked Twitch's entire 125GB source code including internal tools, SDKs, and creator payout data due to a server misconfiguration.

Attackers modified Codecov's Bash uploader script to exfiltrate environment variables (including CI/CD secrets) from thousands of customers' build pipelines.

As a downstream victim of the Codecov breach, HashiCorp's GPG signing key was exposed, requiring them to rotate their code-signing infrastructure.

A Travis CI vulnerability exposed secrets from public repositories' build logs, potentially leaking API keys and tokens from thousands of open-source projects.

Nissan's Git server was left accessible with default credentials (admin/admin), leaking source code for mobile apps and internal tooling.

A JumpCloud API key was found hardcoded in a public Starbucks GitHub repository, potentially allowing access to their identity management infrastructure.

Uber engineers committed AWS credentials to a private GitHub repo. Attackers used them to access an S3 bucket containing 57 million user records, leading to a $148M settlement.

Thousands of Laravel applications expose their APP_KEY and database credentials via publicly accessible .env files due to misconfigured web servers.