How can it leak when they only use it internally? They would have to announce this IP range specifically through BGP et al, which I can only assume would raise some serious questions, given that they cannot possibly be the official owner of this range?
On the other hand, that’s probably how we ended up with this article. I still don’t understand how this could have been an accident though.
No, these are being found in traceroutes. Any time you end up being routed over a private network you can end up with private non-announced IP addresses being present in said traceroute - seeing 10.x.x.x addresses in the middle of traceroutes is something you will see occasionally as well. When the TTL expires and the router sends the TTL exceeded message back, it has to select SOMETHING for the source IP address, and there's nothing to prevent that choice being the internal IP address it uses.
On the other hand, that’s probably how we ended up with this article. I still don’t understand how this could have been an accident though.