Secret Keys Exposed: Over 900 Fortune 500 and Government TLS Certificates Found Vulnerable After Massive Key Leak

A new joint study by Google and GitGuardian has uncovered a troubling weakness at the heart of internet security. Researchers found that more than 2,600 valid TLS certificates protecting major websites were compromised after their private encryption keys were accidentally exposed online.

Even more alarming, over 900 of those certificates belonged to Fortune 500 companies, healthcare providers, and government agencies. The findings highlight how a simple mistake, such as accidentally committing sensitive files to public repositories, can undermine the encryption that secures global internet traffic.

Image Credit: Source: GitGuardian

The Backbone of Internet Security

TLS certificates are responsible for encrypting connections between users and websites. They are the technology behind the padlock icon that appears in web browsers when a connection is secure.

Each certificate relies on a pair of cryptographic keys. The public key is visible to everyone, but the private key must remain secret. If that private key leaks, attackers could impersonate legitimate websites or intercept sensitive communications such as passwords, payment data, and confidential messages.

According to researchers, the accidental exposure of these private keys effectively breaks the security guarantees that TLS encryption is meant to provide.

Millions of Keys Accidentally Published

GitGuardian has tracked roughly one million unique private keys that were accidentally published to public code repositories since 2021. Many of these appeared on platforms like GitHub and DockerHub, often embedded in configuration files, scripts, or container images.

Researchers cross-referenced these leaked keys with Google’s extensive web telemetry dataset. This allowed them to map the exposed keys to approximately 140,000 real TLS certificates currently or previously in use across the internet.

By September 2025, 2,622 of those certificates were still valid and actively protecting websites.

Fortune 500 and Government Systems Affected

The most concerning discovery was that over 900 of the compromised certificates belonged to major corporations and government institutions. These certificates were still being used in live environments despite the associated private keys being publicly available.

With access to a leaked private key, an attacker could potentially impersonate a trusted website or conduct man-in-the-middle attacks against users connecting to that service.

In practice, this means encrypted connections could be silently intercepted without the victim noticing anything unusual.

The Mystery of the “Ghost Owners”

One of the biggest challenges researchers faced was identifying who actually owned the compromised certificates. Only 16 percent of the exposed certificates contained information that clearly identified the organization responsible for them.

To locate the owners, the research team had to perform extensive digital detective work. This included scraping website metadata, analyzing domain ownership records, and using AI-assisted web crawling to identify possible contacts.

Even after these efforts, around 1,300 certificates remained untraceable, meaning the affected systems could remain exposed indefinitely.

Low Response From Affected Organizations

When researchers attempted to notify organizations, the response rate was surprisingly low. The team sent more than 4,300 disclosure emails to over 600 organizations, yet only about 9 percent replied.

Some organizations even questioned whether possessing a website’s private encryption key represented a real security problem, highlighting a worrying gap in awareness around cryptographic risk.

Eventually, the researchers achieved a 97 percent remediation rate, largely by contacting the certificate authorities responsible for issuing the affected certificates rather than relying solely on the organizations themselves.

Toward a More Resilient Certificate Ecosystem

The study concludes that the industry must rethink how TLS keys are managed. Static certificates that remain valid for long periods increase the risk of prolonged exposure if a key leaks.

Researchers advocate moving toward single-use or automatically rotating keys, where certificates are replaced frequently and compromised keys lose value quickly.

As cloud infrastructure and automated deployments become more common, secure key management and continuous monitoring of exposed secrets are increasingly critical for protecting the internet’s underlying trust model.