One blog is accumulating Google code searches that reveal information they shouldn't. For example this search produces a list of some Drupal database usernames and passwords. Most are for distributions but a few folks have unwisely put backups of their configuration files in .tar files inside their web accessible directories.
Simply put, no file containing sensitive data should ever be stored in a web accessible directory unless it has the proper extension to prevent random browsing. Files like Drupal's settings.php are OK because they must go through the PHP processor. Putting settings.php.txt or a .tar file with a settings.php in a web directory is a bad idea.