65% of the 50 leading AI companies analyzed had leaked verified secrets on GitHub.

Almost half of the disclosures regarding leaked secrets by leading AI companies on GitHub either failed to reach the target or received no response.

The total valuation of the companies with verified secret leaks is over $400B.

In one specific case (an AI50 Company with no disclosure permission), a HuggingFace token found in a deleted fork allowed access to about 1K private models. The leak also included multiple WeightsAndBiases API keys belonging to organizational employees that leaked training data for many private models

The company with the smallest footprint that still had verified leak instances had 0 public repositories and 14 organization members.

The company with the largest footprint without an exposed secret had 60 public repositories and 28 organization members.

Three-quarters (75%) of scams now target critical workflows such as account creation and sign-in processes.

45% of Canadian IT & security professionals reported that employees using weak or compromised credentials is a top security concern

48% of organizations adopted AI-enhanced phishing detection.

33% of ransomware incidents involved compromised credentials

36% of insider incidents involved user credentials.

When asked which egress channels for the outflow of sensitive data does your organization worry most about, 31% said screen captures.

61% of security leaders are very concerned about credential compromise being used for insider activity over the next 12 months.

88% of open-source Model Context Protocol (MCP) server implementations require credentials.

53% of open-source Model Context Protocol (MCP) server implementations rely on insecure, long-lived static secrets, such as API keys and Personal Access Tokens (PATs).

28% of Gen Z parents admit to sharing passwords verbally or through text or email.

The rate of suspected digital fraud for account creation attempts increased by 26% from H1 2024 (when the rate was 6.6%) to H1 2025.

8.3% of all digital account creation attempts globally were suspected of fraud in H1 2025, making account creation the highest risk stage in the consumer lifecycle.

18% of organizations cited brute forcing or credential stuffing as the most common API security problem.

46% of developers worry about AI systems sharing or leaking API credentials.