No. This checks public GitHub commits that contain secret credentials; in 2022, over 33% were specific to known APIs, such as AWS access keys or MongoDB credentials, while the remaining 67% were deemed "generic." According to the report, generic ones include secrets such as "a company email and a password that would end up hard-coded in a file."
It's not scanning developer support tickets to see when devs hand over credentials to specific individuals.
Methodology is super important here though. I've used static analysis tools that identify every single bit of fake unit test data with a field called 'username', 'email' etc as leaked credentials.
It's pretty much checking if there's a variable called "_token" or "_secret" or similar which is then assigned to a string matching a regex looking for high entropy random-looking values.
Yeah, for $curious_reasons we shipped our unit tests with our binaries and fake credentials would set off enterprise security scanners (although in our case it was a real enough looking PKI cert and not just data with username/password fields in it).
Good point. I wish they included more details about how they performed their searches, but I understand not wanting to feed tips and tricks to the bad guys...
ie. "Here, just run document.cookie='SID=EB73542386AF235' " Then you'll be logged in as an account that can do what you're trying to do.