CISA is the highest-ranking cybersecurity authority in the U.S. However, through a vendor, CISA itself fell victim to a data breach. This shows that anyone can be affected, but more importantly, that even this agency can ignore warnings for months on end.
On May 15, CISA received a warning from KrebsOnSecurity about leaked AWS GovCloud keys and other CISA credentials that were publicly available on GitHub. This was preceded by nine automated alerts from GitGuardian, which reached out to security expert Brian Krebs for help.
Postmortem of a postmortem
In addition to Krebs, CISA itself also published a postmortem on the incident. The cybersecurity watchdog states, apparently without realizing the irony, that it took “swift and comprehensive action.” CISA hopes that its own transparency sets a good example.
The GitHub repository in question was named “Private CISA”; straightforward, but so out in the open that we can forgive cybercriminals if they mistook it for a honeypot. The repo contained 844 MB of sensitive data. A file with the equally telling title “importantAWStokens” contained the administrative login credentials for three Amazon AWS GovCloud servers. A second file listed usernames and passwords for dozens of internal CISA systems in plain text.
As mentioned, CISA responded quickly to the May 15 report. Nevertheless, it took more than 48 hours before the AWS keys and other secrets were revoked. According to the report, the complexity of CISA’s own systems and their interdependence with partners caused the delay. CISA therefore suggests that other organizations adhere to a “mature” and “well-tested” key management system.
Nine ignored warnings
The nine reports from GitGuardian to CISA thus went unanswered. GitGuardian researcher Guillaume Valadon stated that this oversight turned a single-day incident into a six-month-long breach.
In its postmortem, CISA acknowledges that the reporting channels for external parties were not properly defined. As a result, the researcher tried multiple avenues, including an email to the affected vendor and the standard vulnerability disclosure platform. The latter is specifically intended for vulnerabilities that affect the broader security community, not for incidents within the organization itself. CISA says it is refining these channels.
The problem of leaked secrets on GitHub is by no means unique to CISA. GitGuardian reported two years ago that an increasing number of secrets were ending up in public GitHub repositories. The 2026 State of Secrets Sprawl report shows that in 2025, 28.65 million new hardcoded secrets were added to public GitHub commits, a 34 percent increase from the previous year. In total, more than four million repositories contain a secret.
Continuous scanning as a lesson
CISA’s cyber incident response playbook was found to lack a scenario for situations involving GitHub or other cloud services. According to Valadon, this confirms the need for continuous scanning, rather than just quarterly scans. GitHub itself offers free secret scanning for all repositories, but such protection can be disabled or bypassed.
CISA did give itself a passing grade on a few points. Extensive logging and the application of zero-trust principles helped assess the scope of the breach. According to the report, no customer or mission data was exposed, and the leaked login credentials were not used outside of CISA’s environment. The contractor who published the secrets lost access to the system.
CISA says it has since rotated all secrets and developed an action plan to better manage developer secrets.