Kudos to the team over there for being as transparent about what happened and where they were not following best practices - I am pretty sure most companies would not publicly admit this:

we had secrets sprinkled in source control, in plain text in build systems and available through settings screens in the application.