The Developer's Guide to Credential Hygiene

Real Incident December 2024. A developer at a fintech startup committed a .env file to a public GitHub repo. It contained a Stripe live key, a Postgres connection string, and an AWS secret access key. A bot found it in 11 seconds. The Stripe key processed $14,000 in fraudulent charges. The AWS key spun up crypto miners across three regions. The developer had a .gitignore entry. Added months ago. But they ran git add . from a new machine where the gitignore wasn't in place. One command. Fourteen thousand dollars. This isn't rare. GitGuardian's 2024 State of Secrets Sprawl report found 12.8 million secrets exposed in public GitHub repositories that year. The part that should keep you up at night: 70% were still valid 5 days after detection. Developers aren't just leaking secrets — they're not rotating them after the leak. 12.8M secrets exposed on GitHub in 2024 70% still valid 5 days after detection 11s time to detection by bots The fix isn't better security tools. It's better habits. 7