CISA Postmortem Exposes Six-Month GitHub Credential Leak

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- CISA disclosed that a contractor left dozens of internal credentials — including admin keys to three Amazon AWS GovCloud servers and plaintext passwords for dozens of internal systems — in a public GitHub repository called "Private CISA" for almost six months.
- GitGuardian researcher Guillaume Valadon flagged the 844 MB repo on May 15, 2026, and said CISA had ignored nine automated alerts from his company's continuous scanning service before KrebsOnSecurity got involved.
- CISA took more than 48 hours to invalidate the leaked AWS keys after notification, blaming the complexity of its systems and interconnections with federal and industry partners.
- Acting CIO Preston Werntz and acting CISO Brad Libbey wrote that CISA's incident playbook lacked procedures for GitHub or cloud-service exposures, and that its reporting channels routed self-incident tips into a product-vulnerability queue.
- CISA rotated all leaked secrets, revoked the contractor's system access, and used enhanced logging to confirm the credentials were never used to access customer or mission data outside its environments.
- Valadon called the postmortem the first time a national cybersecurity agency has publicly endorsed continuous secrets scanning and simpler, more visible channels for researchers to report leaks directly.
Why it matters: The agency that grades U.S. cybersecurity for a living failed to rotate exposed AWS GovCloud administrative keys for 48+ hours and ignored nine automated alerts — demonstrating that even organizations with zero-trust architectures and mature logging need tested playbooks for cloud-secret exposures and self-incident reporting channels separate from product-vulnerability intake.



