tl;dr there were two leaks: A Microsoft employee had compiler issues and attached the code to a publicly-visible bug report, and Microsoft's public symbol server had debug symbols for the library (which makes it a lot easier to reverse engineer and debug the production build in a debugger).
Did the employee that accidentally leaked it think that the public developer community was an internal bug tracker? Strange. I wonder if Microsoft do actually use the same site for both internal and external bugs and the employee just selected the wrong category when posting. Seems like an unnecessary risk.