One of our developers followed the steps in, I presume, https://confluence.atlassian.com/display/BITBUCKET/Import+code+from+an+existing+project .
In my (=some kind of admin's) mailbox, a notification appeared:
Subject: Fwd: [Bitbucket] Your Git import job for some-repo-name has finished
You are receiving this email because you're an administrator of the some-team-name team.
The remote Git import you started for https://actualusername:email@example.com/some/local/path completed successfully.
Team email forwarding can be configured from the groups administration page
I see several things wrong with this:
1) the password is sent to another person 2) the password is sent in clear text from Australia (?) to Sweden (?), intercepted by NSA, GCHQ, FRA and others
Could you perhaps try to filter out passwords from these links that you send out?