GitGuardian partnered with Google to answer: what happens when private keys leak? Using Certificate Transparency, we mapped about 1M leaked keys to 140k certificates. Result: 2,622 were valid as of September 2025, exposing major organizations. Our disclosure campaign achieved 97% remediation.

GitGuardian Blog provides insights, tutorials, and updates on secrets management, code security, and developer best practices. Covering topics such as credential leaks, code scanning, and secure development workflows, GitGuardian Blog offers resources for developers, security professionals, and DevOps teams. Readers can learn about detecting and preventing secrets exposure, securing code repositories, and implementing secure coding practices through GitGuardian's articles and security guides.

GitGuardian

A joint study by GitGuardian and Google mapped approximately 1 million leaked private keys from GitHub and DockerHub to 140,000 TLS certificates using Certificate Transparency logs. As of September 2025, 2,622 certificates were still valid, with over 900 protecting Fortune 500 companies, healthcare providers, and government agencies. A responsible disclosure campaign sent 4,300 emails to 600 organizations but received only a 9% response rate. After directly contacting Certificate Authorities, 97% remediation was achieved, though 84 certificates remained valid as of January 2026. The research highlights systemic failures: widespread misunderstanding of private key risks, rare use of certificate revocation, and private keys outliving multiple certificate renewals. The authors recommend shorter cryptoperiods, single-use private keys, and mandatory key rotation as industry standards.

2,622 Valid Certificates Exposed: A Google-GitGuardian Study Maps Private Key Leaks to Real-World Risk