I no point did I reuse any credentials.
The portal code allowed registration of new accounts (served over HTTP). This has been independently verified.
The financial records were in the repo. There was also a third-party SaaS product that had been configured with public read access. The URLs for the SaaS product were in the repo.
No credential use was necessary.