GitHub allows access to data from deleted forks, deleted repositories, and even private repositories indefinitely. They introduce the term Cross Fork Object Reference (CFOR) to describe the vulnerability. A crucial point highlighted is the ability to access sensitive data from deleted forks, including API keys. Even private features and code can be accessed if not synced properly. The common belief of data destruction upon deletion is challenged, as GitHub’s repository network retains commit data. The implications are significant, emphasizing the need for key rotation as a secure remediation method. While the focus is on GitHub, similar issues may exist in other version control systems.
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github