Not necessarily. Google says they found out about the certificates’ issuance via the Certificate Transparency Service, which is an append-only log of various certificate activities. CAs are encouraged to add a log entry every time they sign a certificate. And it was in that log that Google found references to the certificates Symantec signed for ‘google.com’ and ‘www.google.com’. It seems likely that Symantec’s signing tools automatically submitted the certificate metadata to Certificate Transparency when the test certificates were signed.
Thus, the certificates themselves could quite plausibly have remained internal within Symantec, whilst proof of their generation was transmitted out onto the Internet for Google to find.
With that said, it’s also possible that Google’s webcrawler came across a publicly-accessible Internet site using the certificate, as Google’s webcrawler does log all certificates it encounters into Google’s own Certificate Transparency log. But I would have expected to see an (even) bigger public outcry if that had been the case; it seems far more likely to me that the certificates did remain internal at Symantec, at least in the case of these testing certificates.
