Someone forgot the importance of API and cryptographic keys - NCSU academics scanned GitHub accounts for a period of nearly six months and found 575,456 API and cryptographic keys, of which 201,642 were unique, all spread over more than 100,000 GitHub project. 81% of the secrets were not removed," researchers said. "It is likely that the developers for this 81% either do not know the secrets are being committed or are underestimating the risk of compromise."

In one case, we found what we believe to be AWS credentials for a major website relied upon by millions of college applicants in the United States, possibly leaked by a contractor

They also found AWS credentials for the website of a major government agency in a Western European country. In that case, we were able to verify the validity of the account, and even the specific developer who committed the secrets. This developer claims in their online presence to have nearly 10 years of development experience

Last, but not least, researchers also found 7,280 RSA keys inside OpenVPN config files. By looking at the other settings found inside these configuration files, researchers said that the vast majority of the users had disabled password authentication and were relying solely on the RSA keys for authentication, meaning anyone who found these keys could have gained accessed to thousands of private networks.

https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/