Only last month I removed a file called 'statuspage.aspx', this file has been sat there for years on our customer sites.

The file did one simple query on the database to ensure connectivity, this query dumped the admin username and password to the page, no encryption.

Needless to say we rolled out ab emergency update... Not quite sure how that made it through QA!