"A code repository used by the New York state government’s IT department was left exposed on the internet, allowing anyone to access the projects inside, some of which contained secret keys and passwords associated with state government systems."<p>It's incredible that folks still think that network security and access is sufficient. There are many tools available to manage secrets that don't involve checking them in (assuming in plain text here) to a git repo. It doesn't matter where the repo is hosted, just don't commit secrets.