- The United States’ cyber agency CISA contractor left highly sensitive AWS GovCloud keys on a public GitHub repository.
- The exposed data included plaintext passwords and internal code development blueprints.
- Security experts say it’s among the most shocking government data leaks ever seen in recent times.
One of the Cybersecurity & Infrastructure Security Agency’s (CISA) contractors kept their administrative AWS GovCloud account credentials in a public GitHub repository. This data was left exposed for at least six months.
The leak, discovered May 15 by security firm GitGuardian, included plaintext passwords for dozens of internal systems. Experts say it represents a catastrophic failure of basic security practices at America’s top cyber defense agency.
Details of the Data Leak
The trouble started with a GitHub repository named “Private-CISA.” A security researcher named Guillaume Valadon from GitGuardian, a security firm that constantly scans public code for leaked secrets, flagged the exposure.
Valadon tried to let the account owner know about the leak but they didn’t respond. The reason became clear. The repository held a treasure trove of internal CISA and DHS credentials. We’re talking cloud keys, security tokens, logs, and even plaintext passwords stored in a simple CSV file.
One file, ‘importantAWStokens,’ held the admin keys to three different AWS GovCloud servers. Another file, ‘AWS-Workspace-Firefox-Passwords.csv,’ listed usernames and passwords for dozens of internal CISA systems. This included LZ-DSO, which is short for Landing Zone DevSecOps, the CISA’s own secure code development environment.
Researcher Philippe Caturegli of Seralys tested the exposed keys. He confirmed they worked and provided high-level access to those government cloud accounts.
A Case of Bad Security Hygiene
How did this happen? The commit logs show the administrator deliberately disabled GitHub’s default security feature. That feature blocks users from publishing secrets in public code. Valadon called it a textbook example of poor security hygiene.
Poor security hygiene isn’t limited to government contractors. Microsoft users have been receiving unsolicited one-time passcodes in a suspected large-scale account probing campaign, another example of how weak practices can lead to widespread vulnerability.
“I honestly believed that it was all fake before analyzing the content deeper,” Valadon wrote. He added that this was the worst leak of his career. The archive even included the contractor’s own passwords. Many were incredibly weak, like the platform’s name followed by the current year.
Caturegli has a theory. He thinks the contractor was using the public GitHub repo to sync files between a work laptop and a home computer. The account showed regular commits since last November. The contractor’s GitHub account itself was created way back in September 2018.
CISA Responds
Who was responsible? The “Private CISA” repo belonged to an employee of Nightwing, a government contractor based in Dulles, Virginia. Nightwing refused to comment and pointed all questions to CISA.
CISA released a statement admitting the leak. Their spokesperson said there’s no evidence that the exposure compromised any sensitive data. But they promised that they’ll beef up security.
The GitHub account vanished shortly after Seralys and KrebsOnSecurity notified CISA. But here is the scary part. The exposed AWS keys remained valid for another 48 hours. That’s two full days where anyone could have used them.
The repo exposed far more than just passwords. It included blueprints for how CISA builds, tests, and deploys its internal software. Experts warn that the exposed “artifactory” , their internal code package repository, is a prime target. An attacker could hide a backdoor in a software package. Then, every time CISA builds something new, they would redeploy that backdoor.
This leak is even more alarming given the agency’s current state. CISA is operating with a fraction of its normal budget and staffing. It has lost nearly a third of its workforce since the beginning of the second Trump administration due to buyouts and resignations.
Caturegli summed up the embarrassment perfectly. “This would be an embarrassing leak for any company,” he said, “but it’s even more so in this case because it’s CISA.”
