Bitbucket OAuth Plugin stored a credential unencrypted in the global config.xml configuration file on the Jenkins master. This credential could be viewed by users with access to the master file system. Bitbucket OAuth Plugin now stores this credential encrypted.
Mattermost allows the definition of incoming (from the perspective of the service) webhook URLs. These contain what is effectively a secret token as part of the URL. Mattermost Notification Plugin stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and job config.xml files on the Jenkins master. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the master file system.