Kinda ironic, don't you think?
It is a common Java development pattern to handle passwords and related secrets with String objects. Unfortunately, String objects can not be reliably secured. As a result, once a String, the String will continue to exist for the life of the JVM (until the next garbage collection *cross fingers*) or as long as the JVM's footprint may exist in the machine's swap space.
It is easy to forget about this common, insecure Java programming pattern. Thankfully, I was watching Square's open source projects. Square's team was able to correct's their encryption service's usage of this pattern. More importantly, they were able to correct it in a timely fashion. Many kudos to their Vuln. Mgt., AppSec, and Development teams.
For the Java coder in you, the changelist may be found @ https://github.com/square/keywhiz/commit/047e294e51026333bc15ccbfc44131249c9531bb