Learn · Evidence
AI agent credential leak statistics (2026)
Last updated:
Last verified against primary sources: June 11, 2026
In short
Three numbers define the AI agent credential problem in 2026: 28.65 million secrets hit public GitHub in 2025, Claude Code-assisted commits leaked at roughly twice the baseline rate (3.2% vs 1.5%), and 24,008 secrets were found in MCP configuration files.
Every statistic on this page is verified at its primary source and dated. The pattern across all of them is the same: raw credentials sitting in files, configs, and workspaces that AI agents read, write, and publish from. The structural fix is keeping keys out of agent context entirely.
The numbers, sourced and dated
28.65 million
new hardcoded secrets were added to public GitHub commits in 2025 — a 34% increase year over year. The report headline rounds it to "29M secrets".
Source: GitGuardian, The State of Secrets Sprawl 2026 · March 17, 2026
3.2% vs 1.5%
Claude Code-assisted commits showed a 3.2% secret-leak rate versus a 1.5% baseline across all public GitHub commits — roughly twice the baseline rate for AI-assisted work.
Source: GitGuardian, The State of Secrets Sprawl 2026 · March 17, 2026
24,008
unique secrets were exposed in MCP-related configuration files across public GitHub, including 2,117 unique valid credentials.
Source: GitGuardian, The State of Secrets Sprawl 2026 · March 17, 2026
428 packages
on npm shipped a .claude/settings.local.json file (out of ~46,500 scanned); roughly one in thirteen of those settings files contained something sensitive — 33 files across 30 packages.
Source: Lakera, "Your AI Coding Assistant Just Shipped Your API Keys" · April 22, 2026
82 : 1
machine identities for every human identity in organizations worldwide, per a survey of 2,600 security decision-makers.
Source: CyberArk, 2025 Identity Security Landscape · April 23, 2025
90% by 2028
of organizations that allow humans to share credentials with AI agents will have to make a significant investment to undo this design due to security and compliance issues — a Gartner prediction, as cited by WorkOS (the underlying Gartner research is not publicly available).
Source: Gartner, as cited by WorkOS · June 10, 2026
9 seconds
is how long it took an AI coding agent to delete a Railway production database in April 2026 after finding a long-lived API token in an unrelated file — as reported by WorkOS.
Source: WorkOS · June 10, 2026
ASI03
is "Identity & Privilege Abuse" in the OWASP Top 10 for Agentic Applications — leaked credentials let agents operate far beyond their intended scope.
Source: OWASP GenAI Security Project · December 9, 2025
Root cause
across documented MCP security incidents: "over-privileged credentials combined with untrusted tool/context input remains the most repeated pattern in both incident reports and practitioner discussions."
Source: AuthZed, A Timeline of MCP Security Breaches · updated May 30, 2026
What the numbers have in common
None of these are model failures. They are placement failures: a raw, long-lived credential sat in a file, a config, or a workspace that an agent (or the repository around it) could read and emit. That is why the durable fix is structural — keep the key out of agent context and let the agent request approved actions at runtime instead. For what can go wrong inside a single tool's workflow, see can Claude Code workflows expose API keys?
What changed
- 2026-06-11Page created. All nine statistics verified at the listed primary sources.
This page is re-verified quarterly. Statistics that cannot be confirmed at a reachable source are removed rather than kept. Outloop is in commercial beta — see the security model.
Keys that never enter agent context can't end up in these numbers.
Outloop is accepting qualified AI agencies, operators, and dev shops into commercial beta.
Reserve 14-day guided trial