Deleted commit still reachable from GitLab web interface knowing its hash

Some weeks ago I accidentally committed a configuration file containing some passwords and I pushed it on a GitLab remote.

After that I used BFG Repo-Cleaner to remove the passwords from the history.

After the clean I executed:

git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push --force

I seen the commit hashes have been changed and sensitive data has been removed (I can see that both using the GitLab web interface or exploring a new clone of the repo).

However, if I access one of the old pages calling directly the URL (https://<my-company>/gitlab/test-bfg/commit/<theoretically-unexisting-hash>) I can see a gitdiff of a commit containing the passwords! I discovered this accidentally, navigating on the browser history.

If I try to checkout the same hash on the just cloned repo I obtain this message:

fatal: reference is not a tree: d7fb999c...

So, if a person clone that repo from GitLab I think he or she is not able to view that commit, however it is still visible from the web interface, if one could guess an old hash.

From GitHub help about removing sensitive data I read:

commits may still be accessible […] hashes in cached views on GitHub. […] you can permanently remove all of your repository’s cached views and pull requests on GitHub by contacting GitHub Support.

So, if this behavior is due to the same issue described in GitHub help, how can I delete my cached views from GitLab?

Thank you

P.S. Repo is currently private but we want to make it public, so passwords are not compromised at the moment.

Same here.
Deleting commits from the git repository only deletes from the git repository file while GitLab keeps information in the database. So directly deleting the git repository actually won’t delete the old commits from the database.

Aug 2018 and still existing. I wouldn’t care actually if I had the time to remove it and force pushed again immediately since they wouldn’t see it in the UI. It happen that my push triggered a failed pipeline and sends out an email with a link to the failed commit.

Did preventive actions already but still would be cool if gitlab can remove the commit permanently.