I faced the same issue because of our intern. He published .env file for everyone on the internet.
The .env file contains mail, google cloud and bank API keys. It was really terrible.
How did you guys manage the situation? Did everyone scramble to reset the API keys while others scrambled to clean up the working tree and commit history?
I regenerate the mail and bank API keys. I also bank added IP limit to bank API portal.
Our lead was so angry. I created a script to remove critical commit histories before we faced this situation (about 2 years ago). I ran that shell script.
But it was so dangerous. Normally we don't have published repositories.
I can say this was our fault.
I take it that the intern didn't stay there for long...
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.