[nailer]

Weirdly AWS and GitHub seems to have something similar. I know a couple of folks (not me!) who've uploaded AWS credentials to OSS projects on GitHub and been contacted by AWS about it, after AWS has revoked the credentials.

[antaviana]

For AWS it makes sense, because typically AWS discounts the customer the damage made by stolen credentials.

For example, if a dozen EC2 instances are launched with credentials poached from Github to mine bitcoins, I know AWS used to remove the rogue extra charge from the customer bill, as a token of gratitude (to avoid losing the customer by a sense of defenselessness).

[yeukhon]

Yes. AWS actually does scan on a regular basis. They have caught some before any harms done. I don't know how often though.

[shaharsol]

I wonder if they scan GH periodically, or simply see abnormal action on these accounts that are accessed by the exposed keys.