CISA Credentials Exposed on GitHub: The Avoidable Security Breach

In a serious lapse of operational security, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed a trove of sensitive credentials—including plaintext passwords, SSH private keys, authentication tokens, and other critical assets—through a public GitHub repository. The repository, ironically named Private-CISA, remained publicly accessible since at least November 2025 until its takedown following disclosure by security journalist Brian Krebs.

The Discovery

The breach came to light through the vigilance of Guillaume Valadon, a security researcher at GitGuardian, a company specializing in detecting secrets in code repositories. GitGuardian’s automated scans flagged the repository as containing hardcoded credentials. Valadon attempted to notify the repository’s owner multiple times but received no response. He then escalated the matter to Brian Krebs, who published the story after confirming the details.

CISA Credentials Exposed on GitHub: The Avoidable Security Breach — Source: feeds.arstechnica.com

GitGuardian’s Role in Exposure Detection

GitGuardian’s public monitoring tools are designed to identify secrets inadvertently committed to code repositories. Their scans search for patterns resembling passwords, API keys, private keys, and tokens. In this case, the Private-CISA repo triggered multiple alerts, leading Valadon to investigate further. The researcher noted that the repository’s commit logs revealed a critical misconfiguration: GitHub’s built-in protections against committing secrets had been deliberately disabled by the repository administrator.

What Was Exposed

The exposed data included:

Plaintext passwords for various internal systems.
SSH private keys that could grant unauthorized access to CISA servers.
Authentication tokens for third-party services.
Other sensitive assets that could facilitate further compromise.

While CISA has not released a full inventory, the leaked credentials pose significant risks. If any of these credentials were still active, an attacker could potentially gain access to CISA’s internal networks, manipulate data, or launch lateral attacks against other government agencies.

How It Happened: Disabled Security Protections

GitHub provides default protections that automatically block commits containing high-confidence secrets (e.g., AWS keys, GitHub tokens). These safeguards are intended to prevent even experienced developers from accidentally exposing sensitive information. However, repository administrators can disable these protections—either globally or for specific pushes.

In the case of the Private-CISA repo, the admin had explicitly disabled GitHub’s secret scanning push protections. This allowed credentials to be committed without triggering warnings or blocks. Valadon observed this in the commit history. The decision to disable these protections remains unexplained, but it suggests either a lack of awareness or a deliberate bypass to accommodate development workflows.

Implications for National Security

CISA is tasked with defending the nation’s critical infrastructure against cyber threats. The exposure of its own internal credentials undermines its credibility and could be exploited by adversaries. Even if the repo has been taken offline, the data may have been cloned or indexed by bots before takedown. Krebs noted that the repository had been public for months, increasing the window of exposure.

This incident joins a growing list of high-profile credential leaks via public repositories, including breaches at Uber, Toyota, and several Fortune 500 companies. However, the involvement of a government cybersecurity agency makes this particularly damaging. Adversaries could use the leaked secrets to conduct espionage, disrupt operations, or launch attacks on critical infrastructure that CISA is supposed to protect.

Lessons for Organizations

The CISA breach underscores several best practices for managing secrets in software development:

Never disable default secret scanning protections without a documented exception process and compensating controls.
Use secret management tools such as vaults (HashiCorp Vault, AWS Secrets Manager) instead of hardcoding credentials.
Conduct regular automated scans of all repositories—including private ones—using tools like GitGuardian, TruffleHog, or GitHub’s own secret scanning.
Rotate credentials immediately upon any suspicion of exposure, even if the repo was public only briefly.
Implement least-privilege access for repository administrators, especially those who can disable security features.

For government agencies, additional measures are crucial, including mandatory security training for all developers, periodic audits of repository configurations, and a rapid incident response plan for credential leaks.

This incident should serve as a wake-up call: even the agencies charged with cybersecurity can fall victim to basic mistakes. The key is to learn from them and strengthen defenses before the next inevitable mistake occurs.

Tags: