Security18 views

Security Researcher Recovers Deleted GitHub Commits—And Finds Sensitive Data

In a striking demonstration of a little-known risk on GitHub, security researcher Sharon Brizinov revealed that deleted commits from public repositories can sometimes be recovered—along with any sensitive data they may contain.

Brizinov managed to retrieve several commits that developers thought had been removed from public view. Among the findings was an alarming discovery: a valid administrative access token that granted full access to all repositories of Istio, a popular open-source service mesh solution commonly used with Kubernetes.

While the token has since been revoked, the incident raises significant concerns about the security practices of developers and the limitations of Git version control itself.

The Problem Is Built into Git

The root of the issue lies in Git's design. When developers accidentally commit secrets—such as passwords, API keys, or tokens—they may attempt to delete the problematic commit. However, simply removing or reverting a commit does not guarantee it has disappeared. If not handled correctly, the commit can be replicated or stored in other places, including GitHub's cache or forks of the repository.

The recommended way to fully remove such commits is to use a force push, a more complex and error-prone process that requires careful execution. Even then, remnants of the commit may still be accessible unless GitHub support is contacted directly to remove all traces.

What Developers Should Do

To avoid similar issues, developers should:

  • Use tools that scan for secrets before pushing code.

  • Avoid committing sensitive data, even in test or private branches.

  • Immediately revoke exposed credentials and rotate keys when leaks are discovered.

  • Follow GitHub’s guidelines for removing sensitive data from repositories.

  • Reach out to GitHub support in severe cases to ensure full removal from cache and mirrors.

This incident serves as a wake-up call for developers and organizations alike. Even “deleted” data may not be gone—and if it includes credentials or secrets, it could open the door to serious security breaches.

More

View all
AIApril 27, 2026

Cal.com Shifts Away from Open-Source Development Due to AI Concerns

Cal.com moves away from open-source development. CEO Bailey Pumfleet cites AI's ability to quickly exploit codebases as the primary reason for the shift.

SecurityApril 27, 2026

iPhone Security Flaw Allows Unauthorized Payments via Visa Express Mode

New iPhone flaw allows hackers to bypass locks and steal funds using Visa Express Mode. Learn how this NFC exploit works and what Apple and Visa are saying.

PopularApril 27, 2026

Duolingo Ends Mandatory AI Usage as Employee Evaluation Metric

Duolingo drops AI usage as a performance metric. CEO Luis von Ahn prioritizes work quality and efficient execution over mandatory technology integration.

Security Researcher Recovers Deleted GitHub Commits—And Finds Sensitive Data | Create 42