Easy enough to make this mistake, and not realising it.
Develop something that needs Amazon S3 access, and put it on GitHub. It's easy enough to forget about removing your keys before doing a git commit, putting them on GitHub.
Next time maybe you do remember to do so; possibly not realising your first mistake. The keys remain available in previous versions of your software, and you'll never see this old version until you happen to do a rollback to exactly that revision. Rollbacks don't happen too often; to that specific version even less; and then you still have to look at the bit of code that has the keys and realise it's coming from the rollback.
Others that may download your updated (keyless) version also won't notice your keys are on GitHub, after all they're hidden in an older version, which you never see unless specifically requesting it.
What makes matters worse: with this bot it may take just minutes for your keys to be copied and put in use. TFS mentions just five minutes for that to have happened. Maybe it's specifically looking for new commits?
Anyway, easy enough to make such a mistake and not realising it. As such there are many AWS secret keys out there, that are still valid (owner doesn't realise they're out there so won't revoke them), and that are just waiting to be found and put into use.