Don't forget API keys in commits from users foolish enough to trust the security of private repos.

Yeah, spear phishing / social engineering makes more sense for industrial espionage.