Credentials are in your git history. Reverting is not enough — anyone with repo access can find them. You need to rotate and scrub.
Before anything else, rotate every exposed credential. Assume they've been compromised the moment they hit the remote.
Use BFG Repo-Cleaner (fast and simple):
bfg --delete-files .env bfg --replace-text passwords.txt Then clean up and force push:
git reflog expire --expire=now --all git gc --prune=now --aggressive git push --force --all This rewrites all history. Every collaborator will need to re-clone. There is no way around this — the secret is baked into the commit objects.
Add a .gitignore entry and use a pre-commit hook or tool like git-secrets to catch credentials before they're committed.