CISA's GitHub Leak: A Postmortem on Exposed AWS Keys and Critical Lessons for All
The **Cybersecurity and Infrastructure Security Agency** (**CISA**) recently published a candid postmortem detailing a significant data leak where a contractor inadvertently exposed sensitive internal credentials, including **AWS GovCloud** keys, on a public **GitHub** repository for nearly six months. This incident, brought to light by **KrebsOnSecurity** after being alerted by **GitGuardian**, offers crucial insights into key management, incident response, and researcher communication that all security teams should heed.
The incident began to unfold on May 15, 2026, when security firm **GitGuardian** reached out to **KrebsOnSecurity** for assistance in notifying **CISA** about a public **GitHub** repository named βPrivate CISA.β This repository contained a substantial 844 MB of sensitive **CISA**-related data.
Among the exposed files was βimportantAWStokens,β which included administrative credentials for three **Amazon AWS GovCloud** servers. Another critical file, βAWS-Workspace-Firefox-Passwords.csv,β contained plaintext usernames and passwords for numerous internal **CISA** systems.

### Delayed Response and System Complexity
While **CISA** quickly acknowledged the initial alert, it took more than 48 hours to invalidate the exposed **AWS** keys and other vital secrets. In its official report on the data leak, **CISA** attributed this delay to the inherent complexities of its systems and their extensive interconnections with federal and industry partners.
βDrawing on this experience, CISA encourages others to maintain mature and well-tested key management capabilities,β the report states, emphasizing the need for robust key rotation processes.
### Refining Incident Reporting Channels
**CISA** also admitted shortcomings in its process for responding to security incident notifications from external parties. The postmortem highlights the necessity of clear and distinct reporting channels, especially to differentiate incidents affecting the agency's own infrastructure from those involving its products or customers.
βIn CISAβs case, these channels were not well defined, leading the security researcher to try multiple avenues β including emailing the contractor, submitting through CISAβs vulnerability disclosure platform (which is intended for vulnerabilities impacting the broader cybersecurity community), and ultimately involving a reporter,β explained **Preston Werntz**, acting Chief Information Officer, and **Brad Libbey**, acting Chief Information Security Officer at **CISA**, in their analysis.
**CISA** is now actively refining its reporting channels to make them more accessible and efficient for researchers. The agency also stressed that while a `security.txt` file is valuable, organizations should publish reporting instructions in multiple prominent locations.
### The Importance of Continuous Monitoring
**Guillaume Valadon**, the **GitGuardian** researcher who initially discovered the exposed credentials, revealed that **CISA** had ignored nine automated alerts about the leak prior to the **KrebsOnSecurity** notification. **GitGuardian** continuously scans public code repositories for exposed secrets, automatically alerting account holders.
βLetting nine notification emails go unanswered is how a one-day incident becomes a six-month exposure,β **Valadon** wrote in his analysis of **CISA**βs report. He urged organizations to simplify the process for reporting leaks about their own infrastructure, ensuring such reports don't get lost in product-bug queues.
### Lessons Learned and Future Actions
The **CISA** report's authors underscored the critical importance of continuous scanning of public code repositories like **GitHub** for exposed secrets. **CISA** has since rotated all compromised secrets and developed an action plan to enhance developer secret management and monitoring.
The agency acknowledged that its existing cybersecurity incident playbook lacked specific guidance for situations involving **GitHub** or other cloud services. **Valadon**'s insights further validated the need for continuous, rather than quarterly, scanning for exposed secrets.
βThe Private-CISA repository sat public for six months,β **Valadon** noted. βContinuous monitoring of public GitHub surfaced it. Comprehensive internal scanning could have caught the plaintext passwords and committed backups long before they left the building.β
**CISA** credited its enhanced logging capabilities and the adoption of zero-trust principles in both production and development systems for helping to gauge the scope and impact of the exposure. These detailed logs confirmed that no customer or mission data was exposed, and the leaked credentials were not used outside **CISA** environments. The contractor responsible for the exposure has had their system access revoked.
**Valadon** praised **CISA**'s transparency in its postmortem, highlighting its significance. βTo my knowledge, it is also the first time a national cybersecurity agency has publicly advocated for secrets scanning and for simplifying relations with security researchers,β he stated. βThat is exactly the incident communication we should expect from every organization.β