With the rise of AI chatbots such as DeepSeek, organizations face a growing challenge: how do you balance innovative technology with robust data protection? While AI promises to boost productivity and streamline workflows, it can also invite new risks. Sensitive data—whether it’s customer payment information or proprietary research—may inadvertently end up in the prompts or outputs of AI models.

This year's report offers a look at what changed, what stayed the same, and where you can find a little hope in the quest for effective secrets management. While other reports focus on code repositories, Nightfall detects secrets across numerous mission critical SaaS apps and endpoints, giving a more comprehensive picture of leakage trends throughout the development lifecycle. We found secrets in ticketing apps, messaging and collaboration tools, cloud workspaces, and yes, code repositories.

In December 2024, Cyberhaven fell victim to a sophisticated cyberattack that exploited a phishing campaign targeting its Chrome Web Store account. This breach compromised over 400,000 users by injecting malicious code into its browser extension, exfiltrating sensitive data such as cookies and session tokens. The incident has drawn significant attention due to Cyberhaven's role as a cybersecurity provider and the broader implications for browser extension security.

Did you know that data breaches can cost companies upward of $4 million apiece? That's a price tag many businesses can't afford—not to mention the reputational damage that comes with poor data security. But don't panic! Data loss prevention tools are here to come to the rescue, offering CISOs and security analysts some much-needed peace of mind. Let's dive into how you can use these tools to build an ironclad data protection strategy.

While cyber criminals continue to devise ever more creative ways to get into systems, the outcomes of repeat like a broken record: stolen data and lost money. It happened in again and again this year, but our pick proves the stakes are only getting higher with time. We'll explain the logic behind the list, impacts felt, and key takeaways.

An insider is any person with authorized access to systems or data that gives them the ability to take potentially harmful actions. Insiders range from business partners or third party contractors to full- and part-time employees–essentially all valid users with access to resources that you'd rather keep out of the wrong hands. People are just people, but when they mishandle data, they fall into the category of being an insider threat–intentional or not.

97% of enterprise leaders consider a well-executed API strategy critical in driving their organization's growth and protecting revenue streams, yet according to a recent study, 84% of security professionals reported API security incidents over the past year. In March, a GitHub breach exposed nearly 13 million API secrets that users had left in the repository over time, severely impacting customer trust and causing reputational damage.

Our customers often tell us about how they implement manual classification policies. However, with several hundreds of files created daily, and constant sharing between teams, it becomes impossible to enforce secure sharing and sensitive data protection. Imagine that your sales team just accidentally shared a spreadsheet containing customer credit card details with an external vendor. Or perhaps your HR department stored employee health records in a folder that wasn't properly restricted.

Where are your credentials and secrets, and how are you protecting them? These are fair questions, considering the pervasiveness of secrets sprawl. We recently conducted research over 12 months to determine where enterprises’ secrets were residing within their systems, like GitHub, Confluence, Zendesk and Slack. In addition to API keys and passwords, secrets like SSL certificates, usernames and others are spilling into enterprises’ cloud environments and increasing the risk of a breach.

When it comes to building a comprehensive data security strategy, everything hinges on finding and accurately classifying all your sensitive data. It seems security professionals have finally given up on legacy solutions that require extensive labeling and manual data mapping — and not a moment too soon. We're confident no one will mourn the passing of legacy solutions.