Where does the fault lie?
"secret access key" to the database... You mean password.
Posted to a gist, which was probably a secret gist, but it's still accessible by anyone who knows the url... I'm assuming they are trying to find the engineer who probably accidentally posted it with a paste of some code.
Is it their fault alone? Probably not.. Keys should be stored in configuration files or ENV, not code. If that was the case the whole team is responsible for never fixing that massively bad practice