See for example, https://www.google.com/search?q=cherry+coke<p>gives you a top result of https://staging.us.coca-cola.com/products/coca-cola-energy/cherry<p>which prompts with like an htaccess password
I got a different staging server as my #2 result. This is password pretected like OP suggested.
<a href="https://preview.us.coca-cola.com/products/coca-cola-flavors/cherry-vanilla" rel="nofollow">https://preview.us.coca-cola.com/products/coca-cola-flavors/...</a><p>The link OP shared is open to the public to me.
<a href="https://staging.us.coca-cola.com/products/coca-cola-energy/cherry" rel="nofollow">https://staging.us.coca-cola.com/products/coca-cola-energy/c...</a><p>I would think that even if these weren't showing up on google that people would be able to find the subdomains through dns. They should probably move these to an internal domain so they are harder to find.
For me the same happens w/ Netflix: their staging environment just shows up in normal search results:
<a href="https://www.release.staging.ssic.netflix.com/" rel="nofollow">https://www.release.staging.ssic.netflix.com/</a>
I see it, but I don't see a password; It looks just like the live site to me. <a href="https://imgur.com/a/Zn9tHCk" rel="nofollow">https://imgur.com/a/Zn9tHCk</a>
This applies to most big companies, maybe you just happened to notice it now. Security researchers are leveraging these (called Google dorks) every minute to find targets.
Top result for me is <a href="https://en.wikipedia.org/wiki/Coca-Cola_Cherry" rel="nofollow">https://en.wikipedia.org/wiki/Coca-Cola_Cherry</a>
Yep I see it, though it doesn't prompt me for a password - just looks like a normal half-finished website (although very different from www.coca-cola.com). Interesting.
> Coca-Cola® Energy Zero Sugar<p>> Calories 0<p>> Coca-Cola® Energy Zero Sugar combines the great taste of Coca-Cola with the energy you want to power you