Wow!
"one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data."
“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.
The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.
Source: