Perceptive Security
SOC/SIEM Consultancy
The Double-Edged Sword of Non-Human Identities
Published:
4 February 2026 at 15:05:15
Alert date:
4 February 2026 at 16:00:59
Source:
bleepingcomputer.com
Cloud & Virtualization, Identity & Access, Data Breach & Exfiltration, Supply Chain & Dependencies
Analysis of how leaked non-human identities such as API keys and tokens are becoming major drivers of security breaches in cloud environments. The article discusses how exposed machine credentials provide attackers with quiet, long-term access to enterprise systems. Flare research demonstrates the growing threat posed by compromised automated system credentials in cloud infrastructures.
Technical details
Over 10,000 Docker Hub container images were found leaking secrets including production API keys, cloud tokens, CI/CD credentials, and AI model access tokens in public repositories. Non-human identities (tokens, API keys, service accounts, workload identities) are machine-to-machine credentials that authenticate applications and services continuously with broad privileges and indefinite lifespans, unlike human users who use passwords and MFA. The Snowflake breach affected 165 organizations through UNC5537 threat actors using exposed credentials from infostealer malware dumps. Home Depot experienced a year-long exposure via a single leaked GitHub access token granting read/write access to hundreds of private repositories and connected cloud infrastructure. Red Hat GitLab instance was compromised by Crimson Collective, exfiltrating thousands of private repositories containing embedded credentials, tokens, and database URIs.
Mitigation steps:
Treat container images like code AND credentials as potential leak vectors for sensitive keys
Integrate automated secret scanning at every stage of the SDLC to catch leaks before images are pushed to public repositories
Adopt short-lived, ephemeral credentials backed by identity federation rather than long-lived tokens baked into images
Monitor for exposed keys in public registries and revoke them proactively
Treat non-human identities as human identities by monitoring their behavior, limiting their access, and deleting them when no longer needed
Use specialized Threat Exposure Management platforms that continuously scan public registries and code repositories for exposed credentials
Implement automated detection and revocation capabilities for organizations managing thousands of non-human identities
Affected products:
Docker Hub
Snowflake
GitHub
GitLab
AT&T
Ticketmaster
Santander
Home Depot
Red Hat
AWS
Azure
GCP
MongoDB
PostgreSQL
Related links:
https://flare.io/learn/resources/docker-hub-secrets-exposed/?utm_campaign=36827706-Bleeping%20Computer%20Double%20Edged%20Sword%20-%20Feb%204th&utm_source=Paid%20Media&utm_medium=Bleeping%20Computer&utm_term=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities&utm_content=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities
https://flare.io/learn/resources/blog/2025-microsoft-digital-defense-report/?utm_campaign=36827706-Bleeping%20Computer%20Double%20Edged%20Sword%20-%20Feb%204th&utm_source=Paid%20Media&utm_medium=Bleeping%20Computer&utm_term=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities&utm_content=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities
https://try.flare.io/bleeping-computer?utm_campaign=36827706-Bleeping%20Computer%20Double%20Edged%20Sword%20-%20Feb%204th&utm_source=Paid%20Media&utm_medium=Bleeping%20Computer&utm_term=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities&utm_content=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities
https://flare.io/glossary/continuous-threat-exposure-management-ctem/?utm_campaign=36827706-Bleeping%20Computer%20Double%20Edged%20Sword%20-%20Feb%204th&utm_source=Paid%20Media&utm_medium=Bleeping%20Computer&utm_term=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities&utm_content=The%20Double-Edged%20Sword%20of%20Non-Human%20Identities
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.