WPEngine is a provider of managed WordPress hosting. WPEngine creates a folder named _wpeprivate that contains the config.json file. This file contains highly sensitive information (such as WPEngine database credentials) and should not be publicly accessible. It was confirmed that it's possible to access this file without authorization.
You should restrict access to the _wpeprivate directory by adjusting your web server configuration.