Phantom Secrets: Undetected Secrets Expose Major Corporations

This research reveals how common Git/SCM behaviors and overlooked references (mirror-only refs, pull request refs, dangling remote-tracking refs, and cached GUI commits) allow secrets to remain accessible even after apparent removal; the authors empirically found that ~17.78% of potential secrets in top GitHub organizations would be missed by standard git clone-based scanning and disclose concrete high-impact findings (Mozilla fuzzing/telemetry tokens, Meraki admin tokens, Azure service principal with high privileges). The report outlines discovery techniques, provides statistics, and recommends mitigations (scan with git clone --mirror, pre-commit hooks, token rotation, contacting SCM support for deletion, and specialized scanning of bare repositories).