Check HackerOne to see if the company is listed. This is a site where white hat hackers can post vulnerabilities and in return get rewarded for bounties.
If you have information on a vulnerability for a large social media, you might be looking at a nice reward. https://www.hackerone.com/product/bounty
What is interesting here though that this, like the Covid-19 leak in Brazil, the leak was on an employees GitHub. Not a companies account. So sure the employee could have prevented it, but from a company perspective. They have no authority to enforce coding practices on a personal GitHub account.
The only thing I can see preventing this at an organisational level is a DLP solution scanning the repositories (GitGuardian does this for example)
You can put detection in the CI/CD pipeline to prevent from getting into the repository. And in any case. Knowing the horses have run away as soon as possible is pretty essential in damage prevention.
What is interesting for me here is that this leak, like the Brazilian covid leak, happened because of an employees GitHub repository. Which companies have no authority over.
GitGuardian at least scans the GitHub accounts of employees though.
It's a difficult challenge. Secrets detection is probabilistic, without checking the credentials it's nearly impossible to determine, with 100% accuracy, a true vs a false positive. But it has made big improvements. What detection solutions have you been using?