How do attackers find leaked API keys?

Short answer

Automated scrapers index every public GitHub commit within seconds. Specialized tools (TruffleHog, Gitleaks, GitGuardian's public feed, and dozens of private ones) run continuously against GitHub, GitLab, BitBucket, npm, pypi. A leaked key is typically validated within 60 seconds.

The attacker economy around leaked secrets is mature and fast:

  • **Scraper infrastructure**: dozens of tools consume GitHub's public-event API in real time. Every new commit is inspected for 500+ secret patterns.
  • **Pattern matching + validation**: detected strings are immediately tested against the vendor's API (e.g., a test call against OpenAI confirms the key works).
  • **Market / monetization**: validated keys enter marketplaces. OpenAI keys resold for inference-farming. AWS keys for GPU mining. Stripe keys for refund fraud.
  • **Mass exploitation**: keys are used within minutes to hours of discovery. GitGuardian reports the median time-to-abuse is under 2 hours for high-value keys.

This matters because: - A commit you force-pushed to delete is still in the reflog + forks - GitHub's built-in scanning catches some but not all patterns - Private repos are safer but not immune (compromised employee account, malicious CI integration)

The defense is prevention: pre-commit scanning + secrets management + push protection. Securie catches leaks in the PR before merge.

People also ask

How do I check if my API key leaked on GitHub?
Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_liv
How do I rotate an OpenAI API key after it leaks?
Go to platform.openai.com/api-keys, delete the leaked key, create a new one with minimum permissions, and update every e