Think deleting a file from your GitHub repo makes it disappear? Think again. Security researcher Sharon Brizinov earned over $64,000 in bug bounties by exposing a hidden danger: secrets stored in deleted files. These files had been removed from public GitHub repositories but still existed within Git’s history.
Most developers don’t realize this. Git doesn’t actually erase deleted files—it just hides them from view. Every committed file becomes part of Git’s internal history. Unless you clean that history, sensitive data sticks around.
Git stores everything in snapshots. When you commit a file, Git saves a version of it in a hidden folder. Even if you delete the file from the working directory, it stays in that folder for weeks—or longer—unless you take extra steps to erase it.
Brizinov explains that tools like git filter-branch or git-filter-repo are needed to wipe those files for good. Even then, the cleanup process must include garbage collection to remove hidden copies.
To prove how risky this can be, Brizinov built a tool. It scans public repositories with over 5,000 stars or active bug bounty programs. It restores deleted files from past commits and searches them for secrets like API keys, tokens, and login credentials.
His tool found plenty.
Most of the exposed data came from binary files. These files often go unnoticed during code reviews, yet they contained keys and credentials for AWS, Google Cloud, GitHub, Slack, HuggingFace, and more. Some even included email login details.
Why do these leaks happen?
Brizinov points to three reasons:
- Many developers don’t understand how Git stores files.
- Some don’t realize they’ve committed hidden or binary files.
- Others trust Git cleanup tools without checking the results.
The fix isn’t just deleting the file.
If a secret leaks—even briefly—you need to rotate it immediately. Attackers often scan public repos for exactly this kind of mistake. Once they find a leaked key, they act fast. And if your repo is public, it may already have been cloned.
This issue shows how powerful Git is—but also how risky. Developers need to understand what Git keeps, not just what’s visible in the latest commit. Without that knowledge, secrets stay hidden in plain sight.
