Older web projects (but not only) tend to have various abandoned folders including, old backups, database dumps and legacy code publically available.
It’s crucial to keep anything private outside of the public_html folder (or equivalent).
Some bots scan the website and index such vulnerability. Hackers will get notified about an easy prey and then attempt an attack. The “attack” is a strong word, they will simply download the backups or private files.
A screenshot of the log below to illustrate it.