[bifrost]

I've mostly seen this reported in forums and during discussion, if you Google around you'll find some pretty useful hits.

Here's a good one from reddit: https://www.reddit.com/r/github/comments/9odnvw/someone_fork...

Its also discussed reasonably well in the infosec community. Basically GitHub is a great place to find other people's passwords and API keys.

[baroffoos]

Thats unrelated to github though. It sounds like the person did a git clone and then created a new repo and pushed it. You could do that with a self hosted git repo as well. To stop that you would have to have your git server block logins from non company machines and have some serious logging on all company machines to stop anyone moving it off via usb

[bifrost]

baroffoos: Thats pretty close to what I'm suggesting, no public repo access. It works.