In a sweeping analysis conducted in late 2025, Flare researchers uncovered more than 10,000 Docker Hub container images leaking secrets (including production API keys, cloud tokens, CI/CD credentials, and even AI model access tokens) all pushed into public repositories, often unintentionally by developers.
Non-human identities (NHIs): tokens, API keys, service accounts, and workload identities, are the machine-to-machine credentials that power modern software development and cloud infrastructure.
Unlike human users who authenticate with passwords and MFA, these identities authenticate applications, build pipelines, and automated services continuously, often with broad privileges and indefinite lifespans.
When people read about findings like this, the instinctive reaction is often, “They’ll learn the hard way,” or “These must be small companies or inexperienced developers — not serious enterprises or Fortune 500 firms.”
But the reality is far more complex and far more troubling than a shallow headline suggests. These exposures are not edge cases, but are structural failures of how modern software is built and operated.
To understand why, take a look at these real-world nightmares from recent years involving the exposure of non-human identities.
The Snowflake Breach: 165 Organizations Compromised Through Leaked Credentials
One of the most prominent cases that drew widespread media attention was the 2024 Snowflake incident. It was not driven by a software exploit, but by the silent abuse of long-lived credentials that had been leaking into the criminal ecosystem for years.
The threat actor cluster UNC5537 authenticated into approximately 165 Snowflake customer environments using exposed credentials harvested from historical infostealer malware dumps and cybercrime marketplaces.
These credentials (API-like accounts, automation users, and data-access identities) often lacked multi-factor authentication and were designed to persist indefinitely. The data accessed included highly sensitive corporate and customer information belonging to organizations such as AT&T, Ticketmaster, Santander, and others, which was later advertised for sale or used in extortion campaigns.
... continue reading