Secrets & Data Leaks Detection

Data leaks often stem from hardcoded credentials, misconfigured access controls, or unencrypted data flows. This category covers vulnerabilities leading to the exposure of Personally Identifiable Information (PII), API keys, and enterprise secrets across modern software supply chains.

Verified by Precogs Threat Research

How does Precogs AI detect PII and hardcoded secrets?

Static regex rules often miss obfuscated secrets or produce massive false positives. Precogs AI uses AI-powered entropy analysis and contextual comprehension to detect 100+ secret types (from AWS keys to GCP service accounts) across source code, raw binaries, and CI/CD pipelines with high fidelity.

Explore Secrets & Data Leaks by Category

Deep-dive into specific areas of secrets & data leaks to understand the attack surfaces, common vulnerability patterns, and how Precogs AI provides protection.

By Secret Type

Cloud Provider Keys

AWS Access KeysAWS Access Key IDs and Secret Access Keys hardcoded in source, config files, or compiled binariesGCP Service AccountsGoogle Cloud service account JSON keys and OAuth tokens embedded in applicationsAzure CredentialsAzure AD client secrets, storage account keys, and SAS tokens in code repositories

Database & Infrastructure

Connection StringsDatabase connection URIs with embedded credentials for PostgreSQL, MySQL, MongoDB, Redis
Passwords & CertificatesPlaintext passwords and TLS certificates stored in config files and environment variables

Code & API Keys

SSH & PGP KeysPrivate SSH keys and PGP keys committed to repositories or embedded in Docker images
API TokensGitHub PATs, Slack bot tokens, Stripe API keys, and third-party service credentials

PII & Regulated Data

Credit Card NumbersPCI DSS violations from credit card numbers in logs, databases, or source code
SSN & National IDsSocial Security Numbers and government IDs exposed in data pipelines
Email & PIIGDPR/CCPA violations from personal data in logs, error messages, and analytics

By Source Location

Detection Surfaces

Source CodeHardcoded strings in .py, .js, .go, .java files detected pre-commit and in CI/CD pipelines
Git HistorySecrets committed and later removed are still in .git history — Precogs scans the full commit log
Compiled BinariesStrings extracted from compiled executables, shared libraries, and firmware images
Config Files.env, .kubeconfig, docker-compose.yml, terraform.tfvars, and other infrastructure configs

Vulnerability Types

CWE-798

HIGH

Hardcoded Credentials

Embedding usernames, passwords, API keys, or tokens directly in source code or compiled binaries. One of the most common...

CWE-312

HIGH

Cleartext Storage of Sensitive Information

Storing passwords, PII, financial data, or health records in plaintext in databases, files, logs, or environment variabl...

CWE-532

HIGH

Insertion of Sensitive Information into Log File

Logging PII, credentials, session tokens, or financial data to application logs, where it may be exposed to unauthorized...

CWE-200

HIGH

Exposure of Sensitive Information to an Unauthorized Actor

Unintentional disclosure of PII, internal system details, or credentials through error messages, API responses, debug ou...

CWE-321

HIGH

Use of Hard-coded Cryptographic Key

Embedding encryption keys, signing keys, or TLS certificates directly in source code or firmware. Attackers who obtain t...

CWE-359

HIGH

Exposure of Private Personal Information

Application handles PII (names, SSN, health records, financial data) without proper access controls, anonymization, or c...

CWE-256

HIGH

Plaintext Storage of a Password

Storing user passwords in plaintext or reversible encryption in databases, configuration files, or application state, en...

CWE-257

HIGH

Storing Passwords in a Recoverable Format

Using reversible encryption (AES, Base64) instead of one-way hashing for password storage. If the encryption key is leak...

CWE-311

HIGH

Missing Encryption of Sensitive Data

Transmitting or storing sensitive data (PII, financial records, health data) without encryption, violating compliance re...

CWE-319

HIGH

Cleartext Transmission of Sensitive Information

Sending credentials, PII, or payment data over HTTP, unencrypted MQTT, or raw TCP connections where network sniffers can...

← Previous
Page 1 of 2

Recently Discovered in Secrets & Data Leaks

Browse the latest vulnerabilities and exposures dynamically tracked to the Secrets & Data Leaks domain.

Compiling vulnerability feed...

Detect Secrets & Data Leaks Vulnerabilities Automatically

Precogs AI scans your code and binaries for Secrets & Data Leaks vulnerabilities and generates AutoFix PRs — no manual review needed.

Start Free Scan