Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

This year's report offers a look at what changed, what stayed the same, and where you can find a little hope in the quest for effective secrets management. While other reports focus on code repositories, Nightfall detects secrets across numerous mission critical SaaS apps and endpoints, giving a more comprehensive picture of leakage trends throughout the development lifecycle. We found secrets in ticketing apps, messaging and collaboration tools, cloud workspaces, and yes, code repositories.

In today's data-driven world, organizations handle vast amounts of sensitive information, ranging from personally identifiable information (PII) to protected health information (PHI) and payment card industry (PCI) data. Ensuring the security and compliance of this data is not only a legal requirement but also essential for maintaining customer trust and protecting the organization's reputation.

In December 2024, Cyberhaven fell victim to a sophisticated cyberattack that exploited a phishing campaign targeting its Chrome Web Store account. This breach compromised over 400,000 users by injecting malicious code into its browser extension, exfiltrating sensitive data such as cookies and session tokens. The incident has drawn significant attention due to Cyberhaven's role as a cybersecurity provider and the broader implications for browser extension security.

Data breaches cost companies an average of more than $4 million per incident—and that’s before considering the reputational fallout. Data Loss Prevention (DLP) tools have become indispensable for safeguarding sensitive data, especially as organizations embrace hybrid, remote, and cloud-first operations. Once limited to rules-based data classification, modern DLP has evolved into a powerful fusion of AI-driven classification and AI-based data lineage.

While cyber criminals continue to devise ever more creative ways to get into systems, the outcomes of repeat like a broken record: stolen data and lost money. It happened in again and again this year, but our pick proves the stakes are only getting higher with time. We'll explain the logic behind the list, impacts felt, and key takeaways.

An insider is any person with authorized access to systems or data that gives them the ability to take potentially harmful actions. Insiders range from business partners or third party contractors to full- and part-time employees–essentially all valid users with access to resources that you'd rather keep out of the wrong hands. People are just people, but when they mishandle data, they fall into the category of being an insider threat–intentional or not.

97% of enterprise leaders consider a well-executed API strategy critical in driving their organization's growth and protecting revenue streams, yet according to a recent study, 84% of security professionals reported API security incidents over the past year. In March, a GitHub breach exposed nearly 13 million API secrets that users had left in the repository over time, severely impacting customer trust and causing reputational damage.

Our customers often tell us about how they implement manual classification policies. However, with several hundreds of files created daily, and constant sharing between teams, it becomes impossible to enforce secure sharing and sensitive data protection. Imagine that your sales team just accidentally shared a spreadsheet containing customer credit card details with an external vendor. Or perhaps your HR department stored employee health records in a folder that wasn't properly restricted.

Where are your credentials and secrets, and how are you protecting them? These are fair questions, considering the pervasiveness of secrets sprawl. We recently conducted research over 12 months to determine where enterprises’ secrets were residing within their systems, like GitHub, Confluence, Zendesk and Slack. In addition to API keys and passwords, secrets like SSL certificates, usernames and others are spilling into enterprises’ cloud environments and increasing the risk of a breach.

When it comes to building a comprehensive data security strategy, everything hinges on finding and accurately classifying all your sensitive data. It seems security professionals have finally given up on legacy solutions that require extensive labeling and manual data mapping — and not a moment too soon. We're confident no one will mourn the passing of legacy solutions.