Researchers from SecurityDiscovery.com have found a security flaw in an Apache Airflow instance which allows anybody with an internet connection to view database credentials. It appears that the instance belongs to the Howard Hughes Corporation.

http://securitydiscovery.com/the-howard-hughes-corporation-leaks-database-passwords/