Some users discovered yet another way to use the search tool: finding files containing private encryption keys and source code with login credentials. Scarily enough, there were thousands of them.
Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Other developers had hardcoded passwords for privileged user accounts, such as root, sa, and admin.
"With a simple script or tool, external hackers or malicious insiders can quickly discover these lost keys and use them to gain access to critical information assets," Jason Thompson, director of global marketing, SSH Communications Security said. "If the key grants a high level of administrative access, such as root, the potential threat to the business grows exponentially.
To be clear, GitHub is not at fault, since the company is just a hosting service. It just stores whatever files the developer wants to save. The search engine is not accidentally leaking confidential information. The data was already saved on GitHub, it is just making it easier for someone to find these mistakes.
Developers should note that GitHub has a Help page on how to make sure sensitive data is not saved to the repository.