Hi,

  I just created a free team account and a private repository (and yes, as expected, it says private next to the name), but I was able to clone the repo and even push content without any credentials, so it’s actually public!! 

This seems at best a major usability bug. I tried the contact form but I got an error.

Is it possible there were credentials loaded into the environment? If that is not the case this is a serious security flaw and the best thing to do is to contact them through their bounty program: https://hackerone.com/github.