Third-Party Risk Intelligence: A Critical Vendor's GitHub Repo Exposed API Keys

Background

A healthcare company subscribed to TraxinteL's Third-Party Risk Monitoring service, which continuously assesses the security posture of critical vendors. One vendor provided cloud-based patient scheduling software.

Investigation Methodology

1. GitHub Monitoring: Public GitHub repositories associated with the vendor's engineering team were continuously monitored for sensitive data exposure — API keys, credentials, configuration files, and internal documentation.
2. Leaked Secret Classification: Detected secrets were classified by type and severity — determining whether they provided access to production systems, test environments, or customer data.
3. Impact Assessment: We assessed whether the exposed credentials could provide access to the client's data specifically.

Key Findings

• A vendor engineer committed a configuration file to a public GitHub repository containing 4 API keys and 2 database connection strings.
• One API key provided read access to the vendor's production API — which included the client's patient scheduling data.
• The commit had been public for 6 days before detection.
• The repository had been forked twice, indicating potential unauthorized access.

Outcome

The vendor was notified through the client's CISO. All exposed keys were rotated within 4 hours. An audit log review confirmed no unauthorized access had occurred during the 6-day exposure window. The vendor implemented pre-commit secret scanning. Detection speed: 6 days from exposure.