How a CISA Contractor Exposed Top-Secret Cloud Credentials on GitHub

In May 2023, a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently leaked highly sensitive credentials by hosting them in a public GitHub repository. The breach, discovered by security firm GitGuardian, exposed administrative keys to AWS GovCloud, plaintext passwords for dozens of internal CISA systems, and detailed internal software development procedures. This incident is now considered one of the most severe government data leaks in recent memory. Below, we answer key questions about what happened, how it was found, and what it means for cybersecurity hygiene.

1. What exactly happened with the CISA contractor's GitHub repository?

A CISA administrator maintained a public GitHub repository named "Private-CISA" that contained a vast trove of internal credentials and files. The repository included cloud keys, tokens, plaintext passwords, logs, and other sensitive assets belonging to CISA and the Department of Homeland Security (DHS). The administrator had disabled GitHub's default setting that blocks users from publishing SSH keys or secrets in public repositories. Security researchers quickly flagged the repository after discovering the exposed data. The repository was taken down shortly after KrebsOnSecurity alerted CISA.

How a CISA Contractor Exposed Top-Secret Cloud Credentials on GitHub — Source: krebsonsecurity.com

2. How was the leak discovered?

Guillaume Valadon, a researcher at GitGuardian, discovered the leaked credentials while his company regularly scans public code repositories for exposed secrets. GitGuardian automatically alerts account owners when sensitive data is found, but in this case the owner—the CISA contractor—was not responding. Valadon reached out to KrebsOnSecurity on May 15 to report the highly sensitive exposure. GitGuardian's automated scanning tools identified the importantAWStokens file and other plaintext credential files.

3. What kind of sensitive data was exposed?

The repository contained a wide array of sensitive information:

Administrative credentials to three Amazon AWS GovCloud servers
A file named "AWS-Workspace-Firefox-Passwords.csv" listing plaintext usernames and passwords for dozens of internal CISA systems
Access details to an environment called "LZ-DSO" (Landing Zone DevSecOps), CISA's secure code development environment
Backup files, logs, and other internal assets

The exposed data essentially provided a blueprint of how CISA builds, tests, and deploys software internally.

4. Why did security experts consider this an egregious breach?

Security experts, including Philippe Caturegli of Seralys and Guillaume Valadon, described this as one of the worst government leaks they had ever witnessed. Valadon stated: "Passwords stored in plain text in a CSV, backups in Git, explicit commands to disable GitHub secrets detection feature… I honestly believed it was all fake before analyzing the content deeper." The administrator had deliberately turned off GitHub's built-in secret protection, suggesting poor security culture. The leak exposed not just credentials but internal practices, making it a textbook example of poor security hygiene.

5. What were the specific AWS GovCloud credentials exposed?

One file named "importantAWStokens" contained administrative usernames and access keys for three Amazon AWS GovCloud accounts. AWS GovCloud is a specialized cloud environment designed to host sensitive government data subject to compliance requirements like FedRAMP and ITAR. Caturegli tested the keys and confirmed they were still valid at the time of discovery, meaning an attacker could have gained full administrative access to these critical cloud environments. Fortunately, no evidence of malicious use was reported.

6. What does this incident reveal about internal security practices?

According to Caturegli, the GitHub account appeared to be used as a personal scratchpad or synchronization tool rather than a managed project repository. This indicates that the contractor may have been storing credentials in an ad-hoc manner, bypassing official security protocols. The deliberate disabling of GitHub's secret detection suggests a lack of awareness or disregard for best practices. The incident highlights the need for continuous monitoring of code repositories, mandatory security training, and automated guardrails to prevent such leaks. It also underscores the risks of relying on individual operators to maintain proper security hygiene without institutional oversight.

Tags: