A joint study by GitGuardian and Google mapped approximately 1 million leaked private keys from GitHub and DockerHub to 140,000 TLS certificates using Certificate Transparency logs. As of September 2025, 2,622 certificates were still valid, with over 900 protecting Fortune 500 companies, healthcare providers, and government agencies. A responsible disclosure campaign sent 4,300 emails to 600 organizations but received only a 9% response rate. After directly contacting Certificate Authorities, 97% remediation was achieved, though 84 certificates remained valid as of January 2026. The research highlights systemic failures: widespread misunderstanding of private key risks, rare use of certificate revocation, and private keys outliving multiple certificate renewals. The authors recommend shorter cryptoperiods, single-use private keys, and mandatory key rotation as industry standards.
Sort: