A joint GitGuardian and Google research study analyzed approximately one million private keys leaked on GitHub and DockerHub since 2021, mapping over 40,000 of them to 140,000 real TLS certificates via Google's Certificate Transparency database. As of September 2025, 2,622 certificates were still valid, with over 900 protecting Fortune 500 companies, healthcare providers, and government agencies. A responsible disclosure campaign sent 4,300 emails to 600 organizations, achieving only a 9% response rate. After directly contacting Certificate Authorities, 97% remediation was ultimately achieved, but 84 certificates remained valid as of January 2026. The research highlights systemic failures: widespread misunderstanding of private key risks, rare use of certificate revocation, and private keys outliving multiple certificate renewals. The authors recommend shortening cryptoperiods, enforcing single-use private keys, and blacklisting compromised keys across all CAs.
Sort: