1. AWS account 2. Gmail account
Both keys (account secrets for AWS and user/pw for gmail) were only used in a single repository hosted on Github, private, with only me as a collaborator. Both accounts were accessed within the same week, thus this .env is likely the source of leakage.
For this project, I only work from the same PC. If my PC was compromised, I would expect other accounts to be compromised as well.
The application server (in DigitalOcean), that also reads from this repository, has no signal of intrusion.
I know that it's a bad practice of keeping production keys on the repo, but was confident that if I was careful, it would not be easily leaked.
Am I missing something else?
But really we can't tell; there's been nothing in the news about a mass compromise, or mass leaking. So it is possible you've had a PC compromise by a slow & stealthy user, or something entirely different.