If a developer lazily saved a file named password.txt or credentials.json in the root folder, anyone with the right search query could find it. Hackers used "Dorks" like: intitle:"index of" "password.txt" index of password txt patched
If you are a user or admin concerned about password exposure: Use a Password Manager : Instead of storing credentials in a file, use tools like Google Password Manager Disable Directory Indexing : Web admins should ensure Options -Indexes is set in their If a developer lazily saved a file named password
Here is what remains vulnerable: