CISA Issues Critical Lessons Following Six-Month GitHub Data Leak
The Cybersecurity and Infrastructure Security Agency (CISA) has released a detailed postmortem regarding a significant data leak that exposed internal credentials, including AWS GovCloud keys, in a public GitHub repository for nearly six months. The incident, which came to light after a notification from KrebsOnSecurity, underscores critical vulnerabilities in CISA’s response protocols and highlights essential lessons for security teams across the industry.
Incident Overview
On May 15, 2026, GitGuardian, a cybersecurity firm, alerted CISA to a public GitHub repository named “Private CISA,” which contained 844 MB of sensitive data related to the agency. Among the exposed files was one labeled “importantAWStokens,” which included administrative credentials for three Amazon AWS GovCloud servers. Another file, “AWS-Workspace-Firefox-Passwords.csv,” revealed plaintext usernames and passwords for various internal CISA systems.
CISA acknowledged the alert but took over 48 hours to invalidate the exposed AWS keys and other critical secrets. In its report on the data leak, CISA attributed the delay to the complexities of its systems and the interconnections with federal and industry partners, which hindered timely key rotation.
“Drawing on this experience, CISA encourages others to maintain mature and well-tested key management capabilities,” the report stated.
Gaps in Incident Response
The postmortem revealed that CISA’s response to external security incident notifications requires significant improvement. The agency emphasized the necessity for clear and distinct reporting channels to differentiate incidents affecting its operations from those involving its products or customers.
According to Preston Werntz and Brad Libbey, the acting chief information officer and acting chief information security officer at CISA, respectively, the lack of well-defined channels led to confusion for the security researcher, who attempted multiple avenues to report the issue, including contacting the contractor and submitting through CISA’s vulnerability disclosure platform.
CISA is now working to refine its reporting channels to facilitate quicker and more effective communication with researchers. The agency noted that while many researchers use the security.txt file for reporting, organizations should also provide instructions in multiple prominent locations to ensure clarity.
Automated Alerts Ignored
Guillaume Valadon, the GitGuardian researcher who initially contacted KrebsOnSecurity about the exposed credentials, reported that CISA overlooked nine automated alerts regarding the exposed credentials before the notification on May 15. GitGuardian continuously scans public code repositories for exposed secrets and alerts the relevant accounts of any sensitive data exposures.
Valadon highlighted the consequences of ignoring these alerts, stating, “Letting nine notification emails go unanswered is how a one-day incident becomes a six-month exposure.” He advocated for organizations to simplify the reporting process, emphasizing that those reporting leaks should not be viewed as threats.
Importance of Continuous Monitoring
The report stressed the necessity of continuous scanning of public code repositories like GitHub to detect exposed secrets. CISA has since rotated all compromised secrets and developed an action plan to enhance the management of developer secrets and improve monitoring practices.
Despite having a playbook for responding to cybersecurity incidents, CISA’s guidelines failed to address scenarios involving GitHub or other cloud services. Valadon noted that the report validates the need for continuous monitoring rather than periodic checks for exposed secrets.
“The Private-CISA repository sat public for six months,” Valadon stated. “Continuous monitoring of public GitHub surfaced it. Comprehensive internal scanning could have caught the plaintext passwords and committed backups long before they left the building.”
Security Preparedness and Future Steps
CISA evaluated its security preparedness and reported positive outcomes in several areas, including enhanced logging capabilities and the adoption of zero-trust principles in both production and development systems. The agency asserted that its detailed logs demonstrated that no customer or mission data was compromised and that the leaked credentials were not utilized outside of CISA’s environments. The contractor responsible for the exposure had their system access revoked.
Valadon commended CISA for its transparency in the postmortem, noting that it is the first time a national cybersecurity agency has publicly advocated for secrets scanning and improved relations with security researchers. He emphasized that this level of incident communication should be the standard expected from all organizations.
For further insights into the implications of this incident and the lessons learned, refer to the detailed report by CISA. Source: krebsonsecurity.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.


