Two-Thirds of Top AI 50 Companies Leaked Sensitive Data on GitHub, Including API Keys and Tokens
Published
Key Takeaways
- Widespread leaks: A security analysis revealed that 65% of the private companies listed on the Forbes AI 50 have leaked sensitive data on GitHub.
- Exposed secrets: The leaked information includes verified secrets for platforms like HuggingFace, WeightsAndBiases, and ElevenLabs.
- Deep scan methodology: The research used a deep scanning technique that went beyond standard repository scans to include commit histories, deleted forks, and developer gists.
Several prominent AI startups exposed secrets on GitHub. An investigation found that nearly two-thirds (65%) of the private companies featured on the Forbes AI 50 list have inadvertently leaked sensitive credentials and secrets, including API keys and tokens.
Uncovering Hidden API Key Leaks
The research, conducted by cloud security firm Wiz, employed a comprehensive scanning methodology that went far beyond typical repository analysis, focusing on:
- Depth (searching for new sources)
- Perimeter (expanding to adjacent discovery)
- Detection coverage (new secret types)Â
Researchers performed deep scans that included full commit histories, deleted forks, workflow logs, and developer gists—areas often missed by standard security tools.Â
This approach led to the discovery of high-impact secrets, including enterprise-tier API key leaks for platforms like LangChain and ElevenLabs. In one case, a leaked HuggingFace token provided access to approximately 1,000 private models. These three were acknowledged and addressed promptly.
The total valuation of the companies with verified leaks exceeds $400 billion. The analysis shows that significant risks often lurk "below the surface," outside an organization's primary repositories, as the company with the smallest footprint had no public repositories.
Implications and Mitigation Strategies
These Forbes AI 50 data leaks underscore a critical challenge for the rapidly growing AI industry: maintaining security hygiene while innovating at speed. To mitigate these risks, security experts recommend:
- Mandating comprehensive secret scanning across public version control systems.Â
- Establishing clear disclosure channels.Â
- Treat employee and contributor accounts on platforms like GitHub as part of the company's attack surface.
An October study revealed that enterprise AI adoption is being significantly hampered by fundamental data challenges, as security gaps force firms to rethink adoption.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular