What version of Phabricator are you running? (You can find this in Config → Versions for recent versions.)

I can't reproduce this. Here's what I get:

Note that all the credentials are censored.

Versions:

phabricator 7ce84cc27b81a390d4a0d0c224dbc18597d6c1cc (Fri, Dec 4) 
arcanist 05ac4a67e22e06e836e2a0abfba1aa9826490e44 (Fri, Dec 4) 
phutil a6802e4d6b5f6ac4ada2256de27effa2b7189d0a (Fri, Dec 4)

In your report, you say <user email address> -- is the login username for this user a string including "@"? Does the UI print out a message like this?

https://xxxxx@domain.com:password@remote.example.com/...

..that is, the beginning of the email address is censored, but the rest of it is not and the password and domain are not? Or is the HTTP username not really an email address?

I should note that we're running the latest version of Git (2.6.3) which could be the culprit. From my superficial inspection of the code, it appears that the output of git fetch is simply reflected.

In T9966#148590, @epriestley wrote:

In your report, you say <user email address> -- is the login username for this user a string including "@"? Does the UI print out a message like this?

https://xxxxx@domain.com:password@remote.example.com/...

..that is, the beginning of the email address is censored, but the rest of it is not and the password and domain are not? Or is the HTTP username not really an email address?

The login username is an email address, yes. However, I don't know exactly which fields were censored, if any, as the user who noticed this on our Phabricator instance redacted his version before sending it to me.

I should note that we're running the latest version of Git (2.6.3) which could be the culprit. From my superficial inspection of the code, it appears that the output of git fetch is simply reflected.

Just to double check, did you see my screenshot above? Showing that the reflected text is censored? Is that what you're seeing exactly, except not censored?

I'm running Git 2.4.9 locally, which emits a very similar message, but Phabricator censors it on my system (see the screenshot).

We've done this since D8546 (March, 2015) and this behavior has test coverage which is green at HEAD:

https://secure.phabricator.com/diffusion/PHU/browse/master/src/utils/__tests__/PhutilUtilsTestCase.php;230c3e161c9ad7ee920d003b53e7c4a473a46207$596-624

So you haven't actually reproduced this yourself? Is it possible that the user mistook xxxxx as uncensored credentials? Can you try reproducing it directly?

I can't reproduce this locally even with a username email.

In T9966#148595, @epriestley wrote:

So you haven't actually reproduced this yourself? Is it possible that the user mistook xxxxx as uncensored credentials? Can you try reproducing it directly?

I can't reproduce this locally even with a username email.

I haven't attempted to reproduce this exactly, as I don't have a test Phabricator instance, and the exact repro. involves a DNS failure after the initial clone.

The user is "100% sure" that they saw their own password in the text. They then verified other users' passwords were displayed on other repository pages.

Without steps to reproduce the issue, what specifically do you suggest we do with this ticket?

I think this should now be fixed in HEAD. Let us know if we missed anything, and thanks for the report.

(In the future, it would be helpful if you're able to reproduce issues yourself and give us more detailed reproduction steps, include your version in the initial report, etc., so we don't need to go back and forth so many times clarifying things. I would probably have bailed out long ago if this wasn't security-related. See Contributing Bug Reports.)