Programming often involves keeping a bunch of secrets around. You’ve got account passwords, OAuth tokens, SSL and SSH private keys. The best way to keep a secret is, well, to keep it secret.
Sometimes in a forgetful moment, however, those secrets get shared with the whole world.
Once a secret is out, it’s out. There are no partially compromised secrets. If you’ve pushed sensitive information to a public repository, there’s a good chance that it’s been indexed by Google and can be searched. And with GitHub’s new Search feature, it’s now more easily searchable on our site.
Our help page on removing sensitive data reminds us that once the commit has been pushed to a public repository, you should consider the data to be compromised. If you think you may have accidentally shared private information in a repository, we urge you to change that information (password, API key, SSH key, etc.) immediately and purge that secret data from your repositories.
I also want to clarify that our code search results being unavailable is unrelated to this issue. Our operations team has been working on repairing and tuning the code search cluster. We will continue to update our status site with updates on our progress. We will also be publishing a detailed post-mortem on the code search availability issues next week.