US cyber agency CISA exposed reams of passwords and cloud keys to the open web

At a glance:

• CISA exposed sensitive cloud access keys and passwords in a public GitHub repository.
• Security researcher Guillaume Valadon verified some keys were valid and reported the lapse.
• The agency, responsible for federal cybersecurity, faces scrutiny amid leadership vacancies and staff cuts.

Discovery and Initial Report

Guillaume Valadon, a researcher at GitGuardian, identified reams of exposed plaintext credentials listed in spreadsheets publicly accessible via a GitHub repository. The repository was maintained by a contractor working for the Cybersecurity and Infrastructure Security Agency (CISA). Valadon found that the exposed credentials included access tokens, cloud keys, and other sensitive files used to access systems belonging to CISA and its parent agency, the Department of Homeland Security. He tested some of the keys to confirm their validity before reporting the issue.

Valadon chose to report the lapse to Brian Krebs because the CISA contractor responsible for the GitHub environment did not respond to his initial alerts. This indirect reporting chain highlights potential communication gaps in incident response. Krebs, an independent security reporter, then broke the story, bringing public attention to the issue.

Nature of the Exposed Data

The exposed data comprised a variety of sensitive authentication materials. According to Valadon's findings reported by Brian Krebs, the spreadsheets contained plaintext passwords, cloud service keys, and access tokens that could potentially grant unauthorized entry into CISA's internal systems and cloud environments. Such credentials are typically safeguarded by multi-factor authentication and stored in secure vaults, but here they were left in an unprotected, publicly accessible format. This not only violates basic security hygiene but also exposes the agency to potential cyber intrusions.

The credentials were not just passwords but included cloud access keys that could allow entry into cloud storage buckets, virtual machines, and other infrastructure-as-a-service resources. Some keys might have had elevated privileges, enabling administrative control over critical systems. The exposure of such keys could lead to data exfiltration, service disruption, or lateral movement within networks.

CISA's Response and Investigation

Upon learning of the exposure, CISA spokesperson Marco di Sandro stated that the agency is "aware of the reported exposure and is continuing to investigate the situation." Di Sandro added that there is "no indication that any sensitive data was compromised as a result of this incident." However, CISA declined to specify whether the exposed credentials have been revoked and replaced. The agency's handling of the incident is under scrutiny, especially given its role in setting cybersecurity standards for the federal government.

When contacted by TechCrunch, CISA provided a brief statement but did not answer specific questions about credential revocation or evidence of a breach. This lack of transparency is concerning for an agency that advocates for open communication during security incidents. The ongoing investigation will need to determine how long the credentials were exposed and whether any unauthorized access occurred.

Context and Irony for CISA

The incident is particularly embarrassing for CISA because the agency is tasked with overseeing cybersecurity across the civilian federal network and regularly advises other agencies on best practices. These practices explicitly recommend storing passwords in secured password managers rather than in unprotected spreadsheets or public repositories. The exposure undermines CISA's credibility and highlights a significant gap between its guidance and internal practices. It also raises questions about the agency's ability to secure its own infrastructure while promoting security for others.

CISA's mission includes helping organizations defend against cyber threats, and it operates programs like the Cyber Hygiene Services and the Vulnerability Disclosure Policy. The fact that its own systems suffered from a basic security misconfiguration is a stark contradiction. It may erode trust among partner agencies and private sector entities that rely on CISA's expertise.

Leadership and Staffing Challenges

CISA has been without a permanent director since January 20, 2025, when Jen Easterly stepped down ahead of the incoming Trump administration. Additionally, the agency has lost approximately a third of its workforce due to cuts, furloughs, and layoffs since Trump took office. These leadership and staffing shortages may have contributed to the security lapse, as reduced oversight and resources can lead to oversights in contractor management and internal security protocols.

The agency's workforce reduction and leadership vacuum come at a time when cybersecurity threats are escalating. With key positions unfilled, decision-making and accountability may be delayed, increasing the risk of similar incidents. The Trump administration's cuts to federal agencies have been widespread, but for CISA, which is on the front lines of national cybersecurity, the impact could be particularly severe.

Broader Implications and What's Next

The exposure of CISA credentials serves as a cautionary tale for all organizations about the risks of mishandling sensitive access materials. For CISA, it may prompt a review of its contractor oversight and internal security measures. The incident also underscores the importance of continuous monitoring and rapid response to potential exposures. As the investigation continues, stakeholders will be watching to see if CISA takes corrective actions and how it addresses the systemic issues that allowed this lapse to occur.

Organizations should take this incident as a reminder to audit third-party vendor access and ensure that all credentials are stored securely. For CISA, the focus will be on containing any potential damage, improving internal controls, and restoring confidence. Congress and oversight bodies may also investigate the lapse, given CISA's critical role in federal cybersecurity.