A surprising vulnerability has emerged in the high-stakes world of artificial intelligence, where companies are competing for dominance in a market expected to reach $1.8 trillion by 2030. Major AI companies, including those on the prestigious Forbes AI 50 list, have mistakenly published sensitive information on GitHub, the world’s largest code repository. A recent study by cybersecurity firm Wiz revealed that 65% of these top AI startups have leaked sensitive information such as API keys, authentication tokens, and cloud credentials, potentially compromising intellectual property and user data.
The breach, discovered through advanced scanning technology, highlights a major oversight in an industry obsessed with rapid innovation. A report published on Wiz’s blog details how these exposures occur in public repositories, commit history, and even deleted forks. For example, companies such as Perplexity, Anthropic, and Cohere have been implicated in secrets that could allow unauthorized access to their proprietary models and training datasets.
depth of discovery
Wiz took a multi-pronged approach called “depth, perimeter, and coverage” to uncover these leaks. As explained on the Wiz blog, this method goes beyond a surface-level scan to thoroughly investigate contributor repositories and organization members’ publishing highlights. This revealed not only obvious secrets, but also secrets embedded in inconspicuous places such as the LangChain integration and the Pinecone vector database.
SecurityWeek reported on November 11, 2025 that these breaches could expose training data, organizational structures, and private models, posing a risk to companies collectively valued at more than $400 billion. A SecurityWeek article highlighted the irony of AI leaders neglecting basic security hygiene, stating that “many Forbes AI 50 companies are leaking secrets on GitHub.”
Real examples and risks
Certain cases highlight the seriousness. In a November 11, 2025 article, TechRadar highlighted that the breach included API keys for services such as Hugging Face and Celebrities, which were often missed by traditional scanners. TechRadar’s report states that “major AI companies continue to leak their information on GitHub,” and points out that nearly half of affected companies failed to take action or repair even after being notified.
One alarming example from Wiz’s investigation concerned the leakage of tokens that granted access to the weightings of a company’s internal AI models. As detailed in CSO Online’s Nov. 11, 2025 article, “AI Startup Leaks Sensitive Credentials on GitHub, Reveals Models and Training Data,” such disclosures could allow competitors to reverse engineer proprietary technology or launch cyberattacks. An article in CSO Online cites experts who warn that this reflects a prioritization of speed over security in fast-growing AI companies.
Industry-wide impact
A November 10, 2025 report in The Register titled “AI companies continue to publish private API keys on GitHub” noted that 65% of top AI businesses were affected. “Security industry Wiz says 65% of top AI businesses have compromised keys and tokens,” the Register article reported, highlighting the potential for supply chain attacks where leaked credentials cascade through interconnected AI ecosystems.
The posts on X (formerly Twitter) reflect the growing concerns of those in the industry. Users like Aditya Choudhary tweeted about the breaches from Perplexity, Anthropic, Mistral, Cohere, and Midjourney on November 12, 2025, saying, “65% of top AI companies… accidentally leaked secrets on GitHub. API keys. Model weights. Cloud credentials.” This sentiment reflects a broader discussion on the platform about the risks of open source collaboration in AI development.
Challenges in restoration
When Wiz notified companies, reactions were mixed. According to a report in the November 10, 2025 issue of Infosecurity Magazine, “65% of Large AI Companies Discover Verified Secret Breaches,” many companies have no formal channels for security disclosures, leading to warnings being ignored. An article in Infosecurity Magazine reveals that some breaches persist even after being alerted, highlighting gaps in DevSecOps practices.
Expert Insights, in its November 12, 2025 article “Top AI companies are leaking API secrets on GitHub, says Wiz,” pointed out that the mixed appetite for solving problems is due to resource constraints at startups. “Wiz has identified that many leading AI companies are inadvertently leaking secrets on GitHub,” the Expert Insights report states, and recommends automated secret scanning tools as a preventative measure.
Historical background and pattern
This is not an isolated incident. Older posts on X, such as one by Cyril Zakka, MD in April 2023, warned about iOS/macOS apps leaking OpenAI API keys. Similarly, a 2023 post by Md Ismail Šojal discusses extracting tokens from Git disclosures, indicating that it is a long-standing problem in the technology.
GBHackers on Security’s November 11, 2025 article, “65% of Top AI Companies Reveal Verified API Keys and Tokens on GitHub, Found” connects these breaches to a broader trend. A GBHackers article reported that “65% of leading AI companies have leaked verified secrets on GitHub,” exposing critical API keys and sensitive credentials that could lead to data breaches.
Prevention strategies for AI companies
To address this, industry experts recommend integrating secrets management tools like HashiCorp Vault and AWS Secrets Manager. Wiz’s blog suggests regularly auditing your repositories and educating your developers on safe coding practices. As TechRepublic noted on November 12, 2025 in “AI Giants Accidentally Leaking Secrets on GitHub,” these measures are essential to protect assets in areas where intellectual property is paramount.
Digit.fyi’s November 11, 2025 report, “65% of Private AI Companies Reveal Secrets on GitHub, Report Claims,” highlighted the widening security gap. The Digit.fyi article states, “The findings highlight the widening security gap among high-profile companies,” urging AI companies to balance innovation with robust security protocols.
Broader economic and regulatory implications
Financial losses could be significant, with potential losses from intellectual property theft and regulatory fines. A November 12, 2025 article in Cyber Risk Leaders, “AI companies leak information on Github,” warned about exposed API keys leading to unauthorized access. The Cyber Risk Leaders report highlights risks to investor confidence in AI startups.
Recent X posts, including TechNadu’s post on November 11, 2025, amplified the issue. “65% of Forbes AI 50 companies had sensitive data leaked on GitHub, including API keys for HuggingFace, LangChain, and Celebrities.” This public debate puts pressure on companies to act quickly.
Future outlook for AI security
As AI evolves, so must its security framework. Wiz’s findings serve as a wake-up call and promote industry standards for confidential management. As innovation is ongoing, the challenge is to innovate safely so that the rush to build the next breakthrough leaves no room for exploitation.
Integrating AI-driven security tools can paradoxically solve AI security problems, but only if businesses heed these warnings and invest in comprehensive defenses.
