Subject: Potential credential exposure on [URL] Body: I was performing routine security research and discovered a page at [full URL] that lists the phrase "username and password" followed by what appear to be valid credentials for your system. I have not tested or used these credentials. Please review and remove this information for your security.

The intext: operator tells Google to ignore titles and URLs, focusing strictly on the visible text of a page or document. When combined, a query like intext:"username" AND intext:"password" targets pages where both terms appear together. This often reveals:

http://example.com/backup.sql http://example.com/.git/config http://example.com/wp-config.php.bak

Replace legacy protocols that use in-text transmission.