It'd be a useful feature for github and bitbucket to have a default pre-commit that scans for probably-sensitive files and reject commits like that (maybe with a repo setting to opt out on the website, if you think you know what you're doing)

edit: In fact, they should probably run a full search for such files now and email a heads-up to users with repos that produce hits.

And remember folks, just deleting the file doesn't solve the problem, because this is a version control system.

Github has published instructions on how to actually purge sensitive data that's been accidentally committed: https://help.github.com/articles/remove-sensitive-data

We need a cross reference between this and Facebook graph search. For science.

(I flagged, also, because this should be told to the guys at Github, not out in the open.)

Oh, and of course, Google indexes them. Fantastic.

This isn't new, presumably anyone who cared to exploit it would have already thought of:

https://www.google.com/search?q=site%3Agithub.com+inurl%3A.s...

Same thing, right?

This is a big WTF moment for me. There are a ton of private keys here. I don't even know what else to say.

How exactly does this happen? I can understand that some people don't understand the need to keep their private key offline, but I would have thought those people aren't really aware of the existence of the private key...so how does it end up in a github repo?

Alternate source: https://www.google.com/search?q=BEGIN+RSA+PRIVATE+KEY&as...

I almost can't believe someone would commit their .ssh directory to a public GitHub repo.

Seriously - why? Your public key, sure, but the entire directory?

It would be interesting to find out what % are password-protected.