As soon as you push something sensitive to a public GitHub project, you need to immediately assume that it has been noticed and that someone is on their way to try and exploit you. There's a very high chance that it's the case, especially with API keys for services like MailGun, etc, which can be used by spammers.
Attackers are using the Github firehose to look for credentials. You need to immediately revoke them.
As soon as you push something sensitive to a public GitHub project, you need to immediately assume that it has been noticed and that someone is on their way to try and exploit you. There's a very high chance that it's the case, especially with API keys for services like MailGun, etc, which can be used by spammers.
Attackers are using the Github firehose to look for credentials. You need to immediately revoke them.