CISA Admin Leaked AWS GovCloud Keys On Github

An anonymous reader quotes a report from KrebsOnSecurity: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon's company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn't responding and the information exposed was highly sensitive.

The GitHub repository that Valadon flagged was named "Private-CISA," and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets. Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories. "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature," Valadon wrote in an email. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I've witnessed in my career. It is obviously an individual's mistake, but I believe that it might reveal internal practices." "Currently, there is no indication that any sensitive data was compromised as a result of this incident," a CISA spokesperson wrote. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

The GitHub account in question was taken offline shortly after CISA was notified about the exposure. However, according to Caturegli, the exposed AWS keys remained valid for another 48 hours.

"What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025," Caturegli said. "This would be an embarrassing leak for any company, but it's even more so in this case because it's CISA."

Seriously

[Anonymous Coward]

How could Joe Biden allow this to happen?

Re:

[fahrbot-bot]

How could Joe Biden allow this to happen?

Thankfully, Trump hires, "only the best people". /s

Re:

[Defraggle]

Who is the president now? Obama? Clinton? Biden? Carter?

I can't remember.

Feeding the AI is rarely Funny

[shanen]

Even though I don't even know what sort of humor I was hoping for on this story, I'm sure AC's brain fart was not it.

Just read another book with something about why anonymity encourages people to become worse people over time... Must have been in the Facebook-related stuff.

Me? I didn't even want to use GitHub but Claude.ai made me do it.

Re:

[93 Escort Wagon]

I'm honestly surprised that the CISA spokeswoman didn't include a non-sequitir like "we are re-building a world class workforce after the DEI-driven destruction caused by Biden's administration" nor a statement praising Donald Trump. Typically at least one of the two is included in any deflection offered by the current administraiton.

Interesting

[ArchieBunker]

Almost like firing staff indiscriminately and hiring loyalists leads to fuck ups.

Re:

[DarkOx]

maybe partly, but the reality I know as someone who reads a lot of penetration testing reports, is big supposedly mature organizations end up putting useful credentials (as in not just some QA mock enviornment nobody cares about in CI/CD stuff) in their git commits, all the freaking time.

Cloud security is a s*** show a lot of places, even places with mostly capable people, it only takes one idiot or one careless person to really mess things up badly. That is the problem with PaaS/SaaS model generally.

Re: Interesting

[fortfive]

What you say is true, but is compounded by the downsized high productivity consider humans as fungible capital/reaources development mentality of the last couple decades.

Re:

[Defraggle]

They will never learn that Ideological purity and competence are not the same thing.

After the OMB hack, this one is minor

[MIPSPro]

They already lost basically everything. I mean shit man, they got all the spies on the payroll and everyone's mother's address when the OMB hack happened. Didn't they also lose the B2 Bomber plans to the Chinese. Shit, at this point we ought to just pay the Chinese to host our fucking military servers. They'd probably be more secure.

Re:

[bill_mcgonigle]

> pay the Chinese to host our fucking military servers

no, but that's literally what they were doing.

DC doesn't run a serious country.

https://slashdot.org/story/25/... [slashdot.org]

Damn. Old news, I guess.

[MIPSPro]

I'm always a day late and a dollar short. Figures any hyperbole about the US government being incompetent would be surpassed by reality!

Re:

[Slayer]

I agree with your sentiment 100%, but the hacked entity was OPM [wikipedia.org], not OMB.

Re:After the s/OMB/OPM/g hack, this one is minor

[MIPSPro]

Yes, you are right, thank you.

Re: After the OMB hack, this one is minor

[homerbrew]

Yup, who knew firing all the cyber security specialists would lead to something like thatâ¦

Shameful

[Himmy32]

Just wildly shameful for the organization that's supposed to be writing the book on best practices to allow something so bad. But as the story goes, can't shame the shameless.

Welcome to modern cybersecurity.

[Murdoch5]

The alarming issue is how common it is for secrets to be leaked. This isn't a one-off, it's constant, and with the advent of tools and platforms to prevent it, it's shocking how common it is. Why hard-code any secret? Proton Pass CLI is a great tool for storing secrets, and recalling them at run time only when needed. If you don't want to use Proton Pass, fair enough, many tools exist to provide the abstracted security.

Another disturbing point, why was GitHub being used? Standing up a Git server is ea

Re: Welcome to modern cybersecurity.

[firecode]

Own github repo needs backups and resilience against failing HDs etc. GitHub have these and it is less likely your repository is destroyed by crashes of hardware or software errors. GitHub also donâ€(TM)t cost very much.

Re:

[unrtst]

Own github repo needs backups and resilience against failing HDs etc. GitHub have these and it is less likely your repository is destroyed by crashes of hardware or software errors. GitHub also donâ€(TM)t cost very much.

Excellent point - IE: GitHub ALSO has a backup of all these credentials in their backups and mirrored across who knows how many places, all of which could still be leaked.

Sorry, but there's no way to sell this as a good decision.

Re:

[drinkypoo]

Another disturbing point, why was GitHub being used? Standing up a Git server is easy

Yeah that. Why not a GitGov or GovHub? It makes zero sense.

Re:

[Murdoch5]

Certainly suitable, just why GitHub? Maybe GitHub has a government offering, I don't know, but it sounds weird to me to use GitHub for a government security contractor.

Re: Welcome to modern cybersecurity.

[supabeast!]

Github was probably being used because someone in government considers it COTS software from a reliable American corporation. Those people who used to insist on using IIS instead of Apache are still around!

Re:

[Murdoch5]

That's hilarious, I still have the IIS vs Apache (or Nginx, lightHTTP, etc...) discussion with people. To be fair, I don't know if there is a use case where IIS is the best solution, there could be, but in at least 15-years, I haven't run into it, or heard about it.

Deliberate

[stwf]

Please, there's no way this was by mistake. It's a hack from the inside. Just like all of the others.

Re: Deliberate

[liqu1d]

Nah just means someones a hack on the inside...

oh great fucking timing

[drinkypoo]

I was just going to remind IS of their password policy recommendations that everyone doing business with the feds are supposed to follow.

So much for that fucking idea.

And this is why...

[YuppieScum]

...we laugh when a Government says "We must have backdoor access to everyone's cryptography, it will be perfectly safe with us."

Has nothing to do with an administration!

[oldgraybeard]

It is an inherent flaw within the bureaucracy and how they operate. During the audits they just go through the paperwork and make sure the right check boxes are checked.
They do not check the paperwork against the actual real work IT operations.
That is why they fail! Nothing is really being checked, except that the audit documentation says what it needs to say.

Re:

[ArchieBunker]

Did you post this using your new Trump phone?

Re:

[Defraggle]

Uh huh, so how many times did this happen during Biden or Obama?