Security researcher Vladimír Smitka said he found 390,000 Internet domains with a .git folder in a publicly accessible part of the site. That could lead to problems if the folder includes sensitive information. "Sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on," Smitka said. "This data shouldn't be stored in the repository, but... I have found many, many developers that do not follow these best practices."
Smitka has notified the developers involved. "After sending the emails, I exchanged about 300 additional messages with affected parties to clarify the issue," Smitka reported. "I have received almost 2,000 thank-you emails, 30 false positives, two scammer/spammer accusations, and one threat to call the Canadian police."