Bots Exposed: The Growing Threat of Data Leaks
▼ Summary
– Non-human identities (NHIs) like bots and service accounts are the fastest-growing security risk, with a 44% year-over-year increase in H1 2025, now outnumbering human identities 144 to 1.
– Secrets are widely scattered across insecure locations such as messaging apps, CI/CD logs, and spreadsheets, with 57% of exposures from hardcoded secrets in source code and the rest from other sources.
– CI/CD workflows and messaging tools like Slack and SharePoint are significant sources of leaks, with accidental exposure of tokens and credentials during builds or troubleshooting.
– Many NHIs and their secrets remain active for years without review, with 7.5% aged 5-10 years and 2.3% of secrets over a decade old, increasing attack surfaces due to overprivileged access.
– Security teams should expand secret-scanning beyond code, audit and retire unused NHIs, and enforce strict access controls, especially for admin-level machine identities.
The silent threat lurking in enterprise systems isn’t human, it’s the growing army of bots and automated tools leaking sensitive data at alarming rates. Recent findings reveal that non-human identities (NHIs) like service accounts and automation scripts have become the fastest-growing security vulnerability, outpacing traditional human-related risks by staggering margins.
Machine identities now outnumber human ones 144 to 1, a sharp increase from just 92 to 1 the previous year. Every new bot introduced into an environment brings with it a fresh batch of credentials, API keys, and tokens, many of which end up forgotten, overprivileged, or stored in risky locations. Research shows these secrets are scattered across cloud platforms, code repositories, and even collaboration tools, with most lacking proper protection.
“The explosion of agentic AI and automation has created a shadow population of invisible, unmanaged machine identities,” explains a cybersecurity expert. “Attackers target these weak points because organizations often don’t even know they exist.”
While hardcoded secrets in source code remain the largest single source of leaks (57%), nearly half now originate elsewhere. CI/CD workflows account for over a quarter of exposures, with build logs accidentally revealing tokens and credentials. One high-profile breach involved a compromised GitHub Action that siphoned secrets from thousands of repositories, including major financial institutions.
Messaging platforms like Slack and Microsoft Teams are emerging as unexpected leak vectors, responsible for 14% of incidents. Developers frequently paste credentials into chats or tickets for troubleshooting, leaving them exposed indefinitely. Even SharePoint has become a problem, automatic syncing pushes local files containing secrets into the cloud, with spreadsheets being the biggest culprits.
Aging machine identities compound the risk. Nearly half of active NHIs are over a year old, and 7.5% have been around for five to ten years. Shockingly, one in every thousand is more than a decade old. These forgotten accounts often retain excessive permissions, with 62% showing no recent activity yet still holding access to critical systems. In AWS environments, 5.5% of machine identities have full admin rights, creating ripe targets for attackers.
Security teams must expand their focus beyond code. Scanning for secrets should include office documents, logs, and collaboration platforms. For NHIs, regular audits are critical to identify stale accounts, strip unnecessary privileges, and enforce expiration policies. High-level admin access should be tightly controlled and used only when absolutely essential.
The data paints a clear picture: as automation grows, so does the attack surface. Without proactive management, these invisible machine identities will continue to expose organizations to preventable breaches.
(Source: HelpNet Security)
