New Flare study: 42% of vulnerable images provide full access to the cloud.

Massive Leak on Docker Hub: Research Findings

According to the latest report from our partners at Flare, Docker Hub has become an unexpected source of critical data for attackers. After analyzing images uploaded in just one month, researchers discovered over 10,000 public containers containing exposed credentials.

This data is not just test tokens. We are talking about live access keys to production environments, cloud infrastructures, databases, and CI/CD pipelines. Among the victims are over 100 organizations, including a Fortune 500 company and a major national bank.

Key Threat Statistics

The research revealed alarming statistics demonstrating how deeply the problem is ingrained in development processes:

• 42% of compromised images contain 5 or more secrets simultaneously. This means a single container could provide full access to the entire infrastructure.
• 4,000 AI model keys (AI LLM) were found exposed, indicating that the pace of AI adoption is outstripping security measures.
• 75% of deleted secrets were not rotated. Developers often remove a key from a container but forget to revoke it, leaving "open doors" for hackers.

Paradigm Shift: Hacking vs. Leaking

Hackers are changing tactics. Instead of searching for complex Zero-day vulnerabilities, they use automated scanners to find keys that developers leave in the code.

Traditional Attack

• Method: Vulnerability exploitation, encryption cracking.
• Resource: Requires high skill and time.

Leak-Based Attack (Log in)

• Method: Using valid credentials (API keys, tokens).
• Resource: Instant access to repositories and cloud accounts without resistance from security systems.

Recommendations for Security Teams

To avoid your company appearing in the next leak report, Flare recommends implementing the following measures:

• Centralize secrets management. Stop storing keys in code or container environment variables.
• Scan continuously. Implement automated secrets scanning at all stages of CI/CD.
• Rotate, don't just delete. If a secret is exposed, its immediate revocation and replacement are mandatory.
• Monitor Shadow IT. Ensure visibility of assets created by contractors or developers on personal accounts.

Softprom is an official distributor of Flare. We help companies set up external threat monitoring and protect digital assets. You can learn more about our solutions and team on the about us page.