CISA Credentials Exposed on GitHub: A Breach of Security Basics

Introduction

In a stunning lapse of operational security, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)—an organization tasked with protecting the nation's digital infrastructure—recently found itself at the center of a controversy involving leaked credentials. Security researcher Brian Krebs reported that a public GitHub repository, ironically named “Private-CISA,” contained a trove of plaintext passwords, SSH private keys, API tokens, and other sensitive assets. The repository had been publicly accessible since at least November 2025, exposing CISA's internal systems to potential compromise.

The Discovery

The leak was brought to light by Guillaume Valadon, a researcher at GitGuardian, a company specializing in detecting hardcoded secrets in code repositories. Valadon was alerted to the repository through GitGuardian's automated public code scans. According to Krebs, Valadon attempted to contact the repository's owner—presumably a CISA employee—but received no response. After multiple failed attempts, Valadon escalated the issue to Krebs, who then published the findings.

The repository itself was taken offline shortly after the report, but not before the damage had been done. The commit logs revealed a troubling detail: GitHub's default protections against committing secrets—features designed to prevent developers from accidentally exposing credentials—had been deliberately disabled by the repository's administrator.

What Was Exposed

The exposed data included:

• Plaintext passwords for various CISA internal systems.
• SSH private keys that could allow unauthorized access to servers.
• API tokens for cloud services and third-party platforms.
• Other sensitive configuration files and credentials.

Such credentials could have been used by malicious actors to impersonate CISA systems, exfiltrate sensitive data, or launch further attacks. The fact that they were stored in a public GitHub repository—accessible to anyone with an internet connection—amplified the risk exponentially.

The Role of GitHub's Protections

GitHub offers a built-in security feature called secret scanning, which automatically detects known patterns of credentials (e.g., AWS keys, GitHub tokens) in public repositories and alerts the owner. Additionally, GitHub can block commits that contain such secrets if the feature is enabled. In the case of the Private-CISA repository, the logs showed that these protections were disabled.

The decision to disable these safeguards is baffling, especially given CISA's mandate. The agency is responsible for helping other organizations secure their systems, yet failed to secure its own. As Krebs noted, disabling these protections effectively removed the only line of defense between sensitive internal credentials and the public internet.

Implications and Aftermath

The exposure has several serious implications:

1. Operational Risk: Any credentials that were valid at the time of exposure must be immediately rotated. Given that the repository had been public for months, it's possible that malicious actors already scraped the data.
2. Reputational Damage: CISA's credibility as a cybersecurity authority is undermined. If they cannot protect their own secrets, how can they advise others?
3. Legal and Compliance Issues: Federal agencies are subject to strict security requirements, such as those outlined in NIST standards. This incident likely violates multiple policies.

CISA has not publicly commented on the full extent of the breach, but it is expected to conduct an internal investigation. The agency may also face scrutiny from Congress.

Lessons Learned

This incident serves as a stark reminder that no organization is immune to credential leaks, especially when human error is involved. Key takeaways include:

• Always enable default security features: GitHub's secret scanning and commit blocking should never be disabled without a strong, documented justification.
• Implement automated monitoring: GitGuardian's public scans caught the leak, but internal monitoring could have detected it earlier.
• Train developers on best practices: Storing credentials in code repositories—even private ones—is risky. Use secret management tools like HashiCorp Vault or AWS Secrets Manager.

Conclusion

The exposure of CISA's credentials on a public GitHub repository is a stark example of how easily security can fail when basic protocols are ignored. The fact that the repository was named “Private-CISA” only highlights the irony: it was anything but private. As the cybersecurity community continues to respond, this incident should serve as a cautionary tale for all organizations—especially those charged with protecting national security.

For more on securing secrets in code, see our guide on GitHub's secret protection features.