CISA Passwords and Cloud Keys Were Exposed to the Open Web

Publicly Exposed Credentials Created a Serious Security Risk

U.S. cybersecurity agency CISA may have avoided a sizable security breach after a good-faith security researcher found publicly exposed credentials that allowed access to government cloud and internal agency systems.

The credentials were found in plaintext inside spreadsheets that had been made publicly accessible in a GitHub repository. The repository was maintained by an employee working for a CISA contractor. The exposed material reportedly included credentials used to access systems belonging to CISA and its parent agency, the Department of Homeland Security.

The exposed data included access tokens, cloud keys, and other sensitive files. Some of the keys were tested and verified as valid, according to the researcher who identified the exposure.

How the CISA GitHub Exposure Was Found

GitGuardian security researcher Guillaume Valadon identified the exposed credentials in spreadsheets available through the public GitHub repository. The credentials were not hidden behind secure storage controls. They were visible as plaintext, which created a direct risk if discovered by anyone with access to the repository.

Valadon reported the issue after the CISA contractor responsible for the GitHub environment did not respond to alerts. That lack of response became part of the broader concern: the exposure involved sensitive government access credentials, but the initial attempts to notify the responsible party did not lead to a timely response.

The situation placed CISA in a difficult position because the agency’s role is to protect cybersecurity across the civilian federal network. CISA also advises organizations on cybersecurity best practices, including the secure handling of passwords and the use of protected password managers rather than unprotected spreadsheets.

What Was Exposed in the CISA Security Lapse

The exposed credentials were described as reams of plaintext credentials stored in spreadsheets. These included several categories of sensitive access material:

• Access tokens
• Cloud keys
• Other sensitive files
• Credentials tied to CISA systems
• Credentials tied to Department of Homeland Security systems

Because some of the keys were tested and found to be valid, the exposure was not merely theoretical. Valid credentials can allow access to systems if they are discovered and used by someone with harmful intent.

It remains unclear whether anyone other than the good-faith researcher found or used the credentials. CISA did not immediately comment when asked whether the agency had evidence of a breach resulting from the exposure. It was also not immediately clear whether the exposed credentials had been revoked and replaced following the incident.

Why the Exposure Is Especially Embarrassing for CISA

The lapse is particularly embarrassing because CISA is the U.S. government agency responsible for cybersecurity across the civilian federal network. Its public role includes advising on best practices that help organizations avoid exactly this type of risk.

One of those practices is secure password storage. Credentials should be kept in secured password managers, not in unprotected spreadsheets. The exposure of plaintext credentials in a publicly accessible GitHub repository runs directly against that guidance.

The issue also highlights the security responsibility that remains with an agency even when contractors are involved. Although the incident was traced back to an employee working for a CISA contractor, CISA remains responsible for protecting its own network and systems, including the environments and access handled by contractors working on its behalf.

Contractor Access and CISA’s Security Responsibility

The exposed GitHub environment was maintained by an employee working for a CISA contractor. That detail matters, but it does not remove CISA’s responsibility for the security of its systems.

Contractors often work with sensitive environments, and when they do, their security practices become part of the agency’s overall risk surface. If a contractor-maintained repository exposes credentials for agency systems, the resulting risk still affects the agency directly.

In this case, the exposed credentials reportedly allowed access to CISA and Department of Homeland Security systems. That makes the incident more than a contractor-side mistake. It became a potential government systems security issue.

The episode shows how sensitive credentials can create risk when stored in everyday files such as spreadsheets, especially when those files are placed in repositories that become publicly accessible.

Unanswered Questions About the CISA Data Exposure

Several important details remain unresolved.

CISA did not immediately say whether it had evidence that anyone accessed or used the credentials beyond the researcher who discovered them. That leaves open the question of whether the exposure resulted in unauthorized access.

It also was not immediately clear whether CISA revoked and replaced the exposed credentials after the incident. Replacing exposed credentials is a critical response step because valid access tokens and cloud keys may remain usable until they are removed or rotated.

The available information also does not say how long the credentials were exposed on the open web or whether any other parties discovered the public repository before the researcher reported it.

CISA Leadership and Workforce Context

The incident comes while CISA has been operating without a permanent director. The agency has been without permanent leadership since Jen Easterly stepped down ahead of the incoming Trump administration.

CISA has also lost about a third of its workforce following cuts, furloughs, and layoffs since Trump took office. Those workforce reductions form part of the broader operating context surrounding the agency as it handles its cybersecurity responsibilities.

Key Security Takeaways From the CISA Credential Exposure

The exposure underscores a simple but serious cybersecurity lesson: plaintext credentials should not be stored in unsecured spreadsheets, especially when those spreadsheets can become publicly accessible.

Cloud keys, access tokens, and internal system credentials are high-risk assets. If they are exposed, anyone who finds them may be able to access protected systems, depending on the permissions attached to those credentials.

The incident also shows the importance of clear reporting and response channels. A researcher found the issue and tried to alert the contractor responsible for the GitHub environment. When that did not produce a response, the lapse was escalated.

For an agency charged with advising others on cybersecurity practices, the case carries added weight. CISA’s own systems and contractor-managed environments are expected to reflect the same security standards the agency recommends to others.