Your super secret subdomain is not a super secret
You’ve started a new project right? Figure you want to show it off to a bunch of people. Sending preview links to friends and supporters?
The subdomain you’re using is not private information. The obvious - the people you send it to could just link it to anyone.
The less obvious is that there’s a log of SSL certificates issued. If you’ve set up HTTPS of any kind for the subdomain it’s now listed in the Certificate Transparency log. I already knew this so I have no shame, these are all just subdomains I use for keeping track of which server things are on so no biggie. In your case though this might also reveal your origin IP address and all sorts. Subdomains are not private. Stop doing that.
Not a believer? Chuck your domain into Google’s Transparency Report site
Don’t just rely on hard to guess subdomains to hide your shiny new project. They’re public knowledge. Put some auth on it!