Full Report
Machine or programmatic identities, such as services, apps, scripts, bots, and other automated agents, are all working behind the scenes to automate workflows. In other words, machines and systems are talking to other machines without human involvement.
Analysis Summary
# Main Topic
The primary threat intelligence narrative centers on the security risks associated with **Non-Human Identities (NHIs)**, such as service accounts, API keys, and bots, which operate programmatically without human involvement. The proliferation of these machine identities is outpacing human users, creating a vast attack surface where compromised NHI credentials lead to significant breaches across various sectors.
## Key Points
- The number of NHIs significantly outweighs human identities; Kubernetes service accounts in DevOps environments outnumber human identities by a factor of 45:1.
- A high percentage (`70%` from a 2022 study) of secrets detected in public repositories remain active, indicating poor credential hygiene.
- The adoption of AI in code development may exacerbate credential exposure through atypical exposure patterns.
- The Open Web Application Security Project (OWASP) has introduced the "Top 10 Non-Human Identities Risks – 2025" to catalog critical vulnerabilities associated with NHIs.
- Breaches involving NHIs are overwhelmingly attributed to failures in properly securing secrets, credentials, or environments, frequently stemming from human error.
## Threat Actors
- **Chinese state-sponsored hackers**: Attributed with exploiting a compromised API key from third-party vendor BeyondTrust to breach the U.S. Treasury Department.
- **Unknown Actors**: Responsible for attacks exploiting unsecured credentials to access numerous Snowflake customer accounts.
- **Unknown Actors**: Responsible for leveraging legitimate, exposed credentials to compromise Dropbox Sign's production environment.
## TTPs
* **Secret Leakage/Exposure**: Credentials (API keys, tokens) are accidentally stored in unprotected locations like code, config files, or chat tools.
* **Insecure Third-Party Reliance**: Exploiting vulnerabilities in third-party NHIs (e.g., compromised vendor tools like BeyondTrust).
* **Insecure Authentication/Credential Abuse**: Utilizing stolen API keys, OAuth tokens, or plain-text credentials to authenticate and access systems without human interaction.
* **Overprivileged NHIs**: Compromised identities acting with excessive permissions, enabling lateral movement.
* **GitHub Artifact Tampering**: Modifying package tags to redirect users to malicious payloads designed to scrape secrets from CI/CD workflows (observed in the TJ Actions incident).
## Affected Systems
- **Cloud Environments**: Over 230 million AWS cloud environments compromised via insecurely stored AWS credentials.
- **SaaS Platforms**: Snowflake accounts exposed via vulnerable credentials lacking MFA/rotation.
- **Third-Party Providers**: BeyondTrust (vendor whose API key was exploited).
- **Code Repositories/CI/CD**: GitHub (The New York Times source code theft) and CI/CD workflows (TJ Actions secret scraping).
- **Production Environments**: Dropbox Sign's production environment breached via abuse of a service account.
- **Government Agencies**: U.S. Treasury Department workstations accessed.
## Mitigations
- **Vigilant Credential Management**: Implement strict controls for the storage, rotation, and deactivation of secrets, tokens, and certificates.
- **Implement Least Privilege**: Ensure NHIs are granted only the minimum necessary permissions (addressing Overprivileged NHIs risk).
- **Enforce Lifecycle Management**: Proper offboarding procedures must be established to immediately deactivate or remove unused non-human identities.
- **Environment Isolation**: Prevent the reuse of identities across different risk environments (e.g., dev vs. production).
- **Secure Authentication**: Move away from deprecated or weak authentication methods for machine-to-machine communication.
- **Credential Rotation and MFA**: Enforce regular credential rotation and utilize Multi-Factor Authentication where applicable to secrets accessing critical data stores (e.g., Snowflake incidents).
## Conclusion
The security landscape is increasingly defined by the abuse of Non-Human Identities. Since NHIs vastly outnumber human users, their compromise represents a systemic risk. The documented breaches across major organizations demonstrate that fundamental security failures—specifically secrets sprawl, lack of rotation, and improper offboarding—are the leading catalysts for massive data exposure and unauthorized access. Organizations must prioritize securing these programmatic access paths immediately, treating machine credentials with the same or higher scrutiny applied to human credentials, especially enforcing strict entitlement management.