Skip to main content
Emerging ThreatsData Breaches

CISA Leak Exposes Gaps in Incident Response, Key Management

CISA Leak Exposes Gaps in Incident Response, Key Management

844 MB of sensitive CISA-related data sat in a public GitHub repository called "Private CISA" for almost six months before the agency was notified on May 15, 2026.

The exposure: "Private CISA" and the credentials left in public

On May 15, 2026 the security firm GitGuardian asked for help notifying the Cybersecurity and Infrastructure Security Agency (CISA) about a public GitHub repository named "Private CISA" that contained 844 MB of CISA-related material. Among the files were one titled "importantAWStokens" that included administrative credentials to three Amazon AWS GovCloud servers and another named "AWS-Workspace-Firefox-Passwords.csv" that listed plaintext usernames and passwords for dozens of internal CISA systems.

CISA's timeline: acknowledgment, key rotation, and containment

CISA quickly acknowledged KrebsOnSecurity’s initial alert, but the agency took more than 48 hours to invalidate the AWS keys and many other leaked secrets. In its postmortem, CISA said the "complexities of the agency’s systems and interconnections with federal and industry partners" caused key rotation to take longer than anticipated. The agency reported that it has since rotated all secrets and revoked the contractor's system access.

Reporting friction: multiple channels and missed alerts

The postmortem, authored by Preston Werntz and Brad Libbey — the acting chief information officer and acting chief information security officer at CISA, respectively — says CISA can do better at responding to security notifications from external parties. The analysis recounts that reporting channels were not well defined; the security researcher first tried multiple avenues, including emailing the contractor, submitting through CISA’s vulnerability disclosure platform (which the report says is intended for vulnerabilities impacting the broader cybersecurity community), and ultimately involving a reporter.

GitGuardian researcher Guillaume Valadon said CISA ignored nine automated alerts about the exposed credentials before the May 15 notification. Valadon wrote, "Letting nine notification emails go unanswered is how a one-day incident becomes a six-month exposure," and urged organizations to "Make it trivial to report a leak about you, not just about your products."

Operational lessons: scanning, playbooks, and key management

CISA’s report stresses continuous public-repository scanning and improved secrets management. The agency acknowledged that although it had developed an incident-response playbook, that playbook "didn't include what to do in situations involving GitHub or other cloud services." CISA said it has created an action plan to improve management of developer secrets and to better monitor for exposed secrets going forward.

The agency also said that certain preparedness measures helped it gauge scope and impact. CISA gave itself "passing grades" for enhanced logging capabilities and the adoption of zero-trust principles across production and development systems. Those detailed logs, the report states, allowed CISA to determine that "no customer or mission data was exposed" and that "the leaked credentials were not used outside of CISA’s environments."

How technologists, policymakers, and contractors are implicated

  • Technologists and security teams: The incident underscores the value of continuous scanning of public code repositories and having a secrets-rotation capability that can move faster than 48 hours when administrative keys are exposed. Valadon argued that comprehensive internal scanning could have found plaintext passwords and committed backups "long before they left the building."
  • Policymakers and program managers: CISA’s admission that its reporting channels were unclear points to a need for clearer guidance on how external researchers should report leaks that affect agency infrastructure versus product vulnerabilities. CISA said it is refining its reporting channels and plans to publish reporting instructions in multiple prominent locations.
  • Contractors and suppliers: CISA revoked the contractor's system access after discovery. The episode highlights risks from contractor-managed repositories and the need for supplier controls around secrets in development workflows.

Guillaume Valadon praised CISA’s public postmortem, noting that it "is also the first time a national cybersecurity agency has publicly advocated for secrets scanning and for simplifying relations with security researchers," adding, "That is exactly the incident communication we should expect from every organization." CISA's own next steps include rotating all secrets, improving monitoring for developer secrets, and refining reporting channels so that researchers do not have to try multiple avenues to report infrastructure exposures.

The concrete record from CISA and GitGuardian leaves a clear operational challenge: even agencies with logs and zero-trust elements can be exposed by human or process failures around developer secrets, and the speed of containment hinges on both detection and the clarity of reporting paths. Will the action plan CISA announced shorten that interval the next time an administrative key appears in a public repository? The agency has committed to refining its processes — and the wider security community will be watching to see whether those fixes close the gap that allowed 844 MB of agency secrets to sit in plain view for months.

Original story