I just happened to notice that PAWS's ToolsDB password is publicly available, which appears to contain client OAuth secrets for PAWS users (secrets connected to my account are there and I confirmed via production database queries they're valid).
Fortunately, it looks the secrets are related to some older version of PAWS (the associated consumer ID is 0a73e346a40b07262b6e36bdba01cba4, which has https://paws.wmflabs.org/paws/hub/oauth_callback as the callback; the current PAWS consumer sounds to use https://hub.paws.wmcloud.org/hub/oauth_callback instead).
That being said, it still exposes sensitive tokens for a great amount of users. Considering the secret consumer token was necessarily published within the PAWS container (T120469), this means there can be users with the technical ability to impersonate the old PAWS users on-wiki. EDIT: /data/project/paws/Tbayer has the consumer secret as well.
SQL password (and some other secrets) is available in /data/project/paws/hub-rc.