A sensitive value (password/token/api key) was sent as a URL query parameter, where it lands in logs, history, and Referer headers.
How it's exploited
Credentials or tokens appeared in a URL query string. URLs are logged everywhere: server access logs, proxies, CDNs, browser history, and Referer headers, so the secret multiplies across systems.
Why it matters
Session or API credentials persist in plaintext logs owned by third parties.
How to fix it
Move the credential to an Authorization header (or request body for form posts).
Invalidate tokens that were already sent via URL and scrub them from your own logs.