An API keys are unique to each user, so if you request an API key from a company, they can trace it back to you for authentication and give you the right access. If you lose the private key, it allows others to decrypt all your communication and they can impersonate you.
This is an example of why you shouldn’t post private keys on places like Github:
Maybe it’s not as extreme as AWS and you’re not racking up a huge bill, but it’s still best practice to hide your keys like in a .env file and add that to your .gitignore file.
An oversimplified version of how they do this is they do some fingerprinting to see what services you are using, and work to find other things that may match (finding S3 buckets, additional keys) and then they go to town exploiting you and they could hide their tracks so you never even notice.
If you’re on a team, you probably share the same keys, but it depends.