If a website or server is misconfigured, a search engine crawler might index a file meant for internal debugging. This file could contain a plain-text log of user interactions, including:

When a search engine crawls these open directories, anyone can find them using specific search queries. This is a primary method for "credential stuffing" attacks, where hackers take leaked passwords from one site and try them on others, like Facebook or Gmail. How to Protect Your Data

Hackers use automated software to test the leaked username and password combination across hundreds of other websites, such as online banking, email providers, and shopping portals.

Even internal logs should never record:

For Apache servers, a simple .htaccess rule can prevent access to all .log files:

: This keyword narrows the search to logs specifically generated by credential-stealing malware (infostealers), automated scripts, or database backups that catalog login attempts.

You might think, "Surely Google doesn't index password files." You would be wrong.