If a replication fails to start then the `#rep` record is logged . This can contain credentials in either the source or target `#httpdb` records, either in urls or the authorization header.
This can be reproduced by posting a replication document which specifies a replication from a database that doesn't exist and following the logs, e.g.: https://gist.github.com/mikewallace1979/757a48bce6b84fbf080c
Note that the creds are exposed both when they are in the source/target url or in the `Authorization` header.