Cybernews reports that more than 1.1 million secrets have been publicly exposed by the environment files of 58,364 websites around the world, most of which are in the U.S., followed by Germany, India, France, and Singapore.
Database credentials were the most prevalently exposed secret, having been observed across more than 27,000 websites' .envs, followed by application keys, email credentials, Mautic admin credentials, and Amazon Web Services keys, a report from the Cybernews research team showed.
While version control issues, web server misconfigurations, human error, lacking access control, and deployment mistakes have been cited as the primary reasons for leaked .env files, most databases with exposed credentials and their respective websites were discovered to have been using the same server, reducing challenges for threat actors, said researchers.
"Without any IP whitelisting, anyone who finds the correct credentials can log into the database and read private customer and company information," researchers added.