This reminds me of the time php.net went funny and started outputting all their PHP as text/html - they kept their DB credentials in a file included from their public_html directory and we were able to read the host details and username and password for their CMS.

Never ceases to amaze me that even big sites make little mistakes like that!