I made the repo private right after the leak. Am I safe?

No. Bots scrape new public commits within seconds and archive them. By the time you flipped the repo private, the values were likely already in attacker datasets. Rotate everything.

How do I purge a file from git history?

Use git-filter-repo (the modern replacement for filter-branch) or BFG Repo-Cleaner. Both rewrite history, which means everyone working on the repo must re-clone after the force push. GitHub also caches old commits — open a support request to ask for cache purge.

Will GitHub auto-revoke things in the .env?

Partial. GitHub’s secret scanning catches and notifies for OpenAI, Anthropic, AWS, Stripe, GitHub, Slack, and ~50 other patterns it recognizes. Anything custom (your own JWT secret, DB password) is not auto-detected.

Critical: act in the next 60 seconds

.env pushed to GitHub: every secret in it is now public

Your Environment variables file may be exposed. Here is the fastest possible recovery — three steps, no theory.

Step 01
Treat every value in the file as compromised. Rotate ALL of them — keys, DB passwords, JWT secrets, OAuth credentials.
Step 02
Add .env (and .env.local, .env.production) to .gitignore. Then "git rm --cached .env" and commit.
Step 03
For private repos, the file is still in git history — use git-filter-repo or BFG to expunge it. For public repos, treat history as forever-readable.

Step 01 — Revoke

Kill the leaked credential first

No single revoke URL — every value in the file needs to be rotated at its source provider. Start with the highest-value: payment keys, database passwords, cloud creds, AI keys. The corresponding incident pages on this site walk through each.

GitHub security log

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

Remove from working tree (does NOT unleak history)

# Stop tracking
git rm --cached .env
echo ".env" >> .gitignore
git add .gitignore && git commit -m "stop tracking .env"

# Purge from history (rewrites — coordinate with team)
# pip install git-filter-repo
git filter-repo --path .env --invert-paths
git push --force

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan your live site to confirm no .env is exposed at /.env, /.env.local, /.env.production, or other common paths.

How this usually leaks

01Initial commit pushed before .gitignore was set up.
02Lovable/Bolt project scaffolded with .env tracked by default.
03Renamed to .env.production but never .gitignored.
04Committed to a "public" sample repo for a tutorial.

FAQ

Frequently asked questions

I made the repo private right after the leak. Am I safe?: No. Bots scrape new public commits within seconds and archive them. By the time you flipped the repo private, the values were likely already in attacker datasets. Rotate everything.
How do I purge a file from git history?: Use git-filter-repo (the modern replacement for filter-branch) or BFG Repo-Cleaner. Both rewrite history, which means everyone working on the repo must re-clone after the force push. GitHub also caches old commits — open a support request to ask for cache purge.
Will GitHub auto-revoke things in the .env?: Partial. GitHub’s secret scanning catches and notifies for OpenAI, Anthropic, AWS, Stripe, GitHub, Slack, and ~50 other patterns it recognizes. Anything custom (your own JWT secret, DB password) is not auto-detected.

Deeper dive

Long-term fixes for this leak class

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Exposed .git directory

An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.