CISA Admin Leaked AWS GovCloud Keys on GitHub
A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) publicly exposed highly privileged AWS GovCloud keys and numerous internal CISA system credentials on GitHub. This egregious lapse, involving plaintext passwords and disabled secret detection, represents one of the most severe government data leaks in recent memory. The incident has garnered significant attention on Hacker News due to the shocking incompetence from an agency responsible for national cybersecurity, highlighting critical vulnerabilities in government IT practices.
The Lowdown
A contractor working for the Cybersecurity & Infrastructure Security Agency (CISA) inadvertently created a public GitHub repository that openly exposed highly sensitive credentials for multiple AWS GovCloud accounts and various internal CISA systems. This incident, uncovered by security researchers from GitGuardian and Seralys, is being called one of the most significant government data leaks in recent history due to the nature and volume of exposed secrets by an agency whose mission is to protect against such breaches.
- The "Private-CISA" repository contained a vast array of critical CISA assets, including cloud keys, plaintext passwords, tokens, and logs, alongside administrative credentials for three Amazon AWS GovCloud servers.
- One particularly revealing file, named "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for numerous internal CISA systems, such as "LZ-DSO," identified as the agency's secure code development environment.
- Security researchers confirmed that the exposed AWS keys were valid and provided high-level access, and the repository also revealed access to CISA's internal "artifactory," a prime target for malicious actors to establish persistent backdoors into the agency's software supply chain.
- The contractor's security practices were alarmingly poor, including disabling GitHub's default secrets detection feature, storing passwords in plaintext CSVs, and employing easily guessable passwords (e.g., "platformname+currentyear").
- It appears the public repository was used as a personal "scratchpad" to synchronize files between work and home computers, with commits dating back to November 2025.
- CISA stated they are investigating the situation, claiming "no indication that any sensitive data was compromised" so far, and committed to implementing additional safeguards. This comes at a time when the agency is operating with significantly reduced budget and staffing levels.
- Despite the GitHub account being taken offline shortly after notification, the exposed AWS keys inexplicably remained valid for an additional 48 hours.
This incident highlights a profound failure in basic security protocols by an individual within an agency tasked with securing national infrastructure. The exposure of such critical credentials by CISA itself underscores the pervasive challenge of human error in cybersecurity, compounded by potential organizational issues like understaffing and poor internal practices, leaving a vital government agency vulnerable.