How big is their dev team? Does their app change much? Could they have contracted it out and now only have one or two people who still push updates to it?
its AirBnB.. they should have this stuff sorted! Dev/prod should be completely separate with the vaults/secrets management in prod having the correct keys with only a few peeps having access (in a break glass situation). Dev's should not have the keys to put into code to push to a prod external service...
There is zero reason why any dev (or worse external dev team) should have access to prod secrets, or the ability to push out via prod. (unless someone cocked up the config for the dev/staging push notification tooling, again requires a level of access)