CISA Admin Leaked AWS GovCloud Keys on Github

A contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly sensitive credentials and internal system details through a public GitHub repository until this past weekend. The repository contained administrative keys for multiple AWS GovCloud accounts, plaintext passwords, tokens, logs, and documentation on how CISA builds and deploys software internally. Security researchers described the leak as one of the most severe government data exposures in recent memory, highlighting significant lapses in security practices. The exposure was discovered by Guillaume Valadon, a researcher at GitGuardian, a firm that monitors public code repositories for leaked secrets. Valadon alerted the contractor after attempts to contact them went unanswered. The repository, named “Private-CISA,” included files such as “importantAWStokens” and “AWS-Workspace-Firefox-Passwords.csv,” which contained administrative credentials and usernames and passwords for dozens of internal CISA systems. Philippe Caturegli, founder of security consultancy Seralys, confirmed that some of the exposed keys were still active and could access sensitive environments, including the agency’s Landing Zone DevSecOps secure code development environment. Experts noted that the leak reflected poor security hygiene, with evidence that the CISA administrator had disabled GitHub’s default protections against publishing secrets publicly. The repository appeared to be used as a personal working space rather than a properly managed project, mixing personal and official email addresses. While the leak was attributed to an individual contractor’s error, it raised concerns about broader internal security protocols within CISA and the potential risks posed by such exposures to national cybersecurity infrastructure. This incident underscores the critical need for stringent security controls and oversight, especially within government agencies handling sensitive information. The exposure of AWS GovCloud credentials and internal system passwords could have allowed unauthorized access to critical infrastructure, posing significant risks to national security and operational integrity. CISA has since taken steps to remove the repository and presumably mitigate the fallout, but the event serves as a cautionary tale about the dangers of inadequate security practices in government IT environments.