Your AWS Keys Are in a Spreadsheet Somewhere. Right Now.

Maybe it’s a CSV that someone exported 18 months ago and forgot about. Maybe it’s a Slack thread screenshot or a config file in a shared Google Drive. It’s definitely not in your secrets manager where it belongs.

This is what I see every day building Risk Finder.

Companies spend millions on perimeter security, IAM policies, zero-trust architecture. All the right boxes checked. But the basics? API keys, database credentials, private SSH keys — they end up in files that nobody thinks to check.

And it only takes one.

One exposed Stripe key in a log file. One hardcoded database password in a backup script. One AWS access key in a PDF that got attached to a Jira ticket two years ago. That’s all it takes to undo the entire investment.

Where Secrets Actually End Up

Here’s where we find them:

The obvious places nobody looks:

• Old CSV exports from admin panels
• Screenshots in documentation folders
• Config files copied to shared drives “temporarily”
• Backup scripts with hardcoded credentials
• Log files that captured a debug session

The less obvious places:

• PDFs generated from wikis that contained env examples
• Jupyter notebooks committed to repos
• Slack exports from workspace migrations
• Email attachments in PST archives
• VM snapshots with .env files baked in

The pattern is always the same. Someone needed to share something quickly. They copy-pasted. They exported. They attached. They moved on. The secret stayed.

Pattern Matching Isn’t Enough

Most scanners look for patterns. A string that looks like AKIA[A-Z0-9]{16} gets flagged as a potential AWS key. Problem is, random strings trigger false positives constantly. Base64 blobs, test data, documentation examples — all of it looks like credentials to a regex.

So teams either drown in false positives or turn down the sensitivity until the scanner is useless.

We took a different approach with our 103 security classifiers. The validation goes deeper than pattern matching. We can tell the difference between a random string and an actual token. Format validation, checksum verification where applicable, contextual analysis of surrounding content.

The classifiers cover:

• Cloud providers: AWS, Azure, Google Cloud, Oracle Cloud, DigitalOcean, Linode, Vultr
• Payment & fintech: Stripe, Square, PayPal, Plaid, Coinbase
• Dev tools: GitHub, GitLab, Bitbucket, NPM, Docker Hub, CircleCI, Travis CI
• SaaS platforms: Slack, Shopify, Twilio, SendGrid, Mailchimp, Datadog, New Relic, OpenAI
• Infrastructure: SSH private keys, PGP keys, SSL certificates, JWT secrets

90+ platforms total. The goal isn’t to find things that look like secrets. It’s to find actual secrets.

The Breach Nobody Sees Coming

Security teams spend their cycles on sophisticated threats. APT groups. Zero-days. Supply chain attacks. That’s where the interesting work is.

But the breach that takes you down probably won’t be some sophisticated zero-day. It’ll be a Datadog API key in a PDF that nobody remembered was there. Or an OpenAI token in a Jupyter notebook that got shared with a contractor. Or database credentials in an Excel file that’s been sitting in a legal hold archive for three years.

The unsexy breaches don’t make headlines. But they happen constantly.

What To Do About It

1. Scan everything, not just repos. Git secret scanning is table stakes. But secrets live in file shares, cloud storage, archives, backups, email — everywhere files accumulate.

2. Look for what’s actually exposed. Prioritize files that are accessible. A secret in a public S3 bucket is a different problem than a secret in encrypted cold storage.

3. Automate the rotation trigger. When you find an exposed secret, the response matters more than the detection. API key rotation should be a button, not a project.

4. Accept that secrets will leak. Build systems assuming credentials will end up where they shouldn’t. Short-lived tokens. Minimal permissions. Easy rotation. Defense in depth for the inevitable.

The companies that don’t get breached aren’t the ones with perfect hygiene. They’re the ones who assume imperfect hygiene and plan accordingly.

Risk Finder scans your files for leaked secrets across 90+ platforms — AWS, Azure, Google Cloud, GitHub, Stripe, OpenAI, Slack, Shopify, and more. No per-GB pricing, no metered scanning.

Find exposed secrets in your data →