You can find out what private repositories exist by brute-forcing the urls while not being logged in.
If a private repository exists you are redirectet to a login-page, e.g.:
If a private repository does not exist, you get a 404, eg:
This is a problem if the public should not know about the existance of private repository, e.g: /apple/ios7 or /valve/hl3