ZCyberNews
中文
Industry NewsHigh3 min read

CISA Postmortem Reveals GitHub Credential Leak Lasted Six Months

CISA's postmortem on a GitHub leak exposing 844 MB of internal data, including AWS GovCloud keys, reveals the agency ignored nine automated alerts and took 48 hours to rotate...

Screenshot of a CISA postmortem report cover page titled 'Lessons Learned from CISA's Recent GitHub Leak'

Executive Summary

A contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) published 844 MB of sensitive internal data — including administrative credentials to three AWS GovCloud servers and plaintext usernames and passwords for dozens of internal systems — in a public GitHub repository for nearly six months before the exposure was reported. CISA's postmortem, published July 13, 2026, reveals the agency ignored nine automated alerts from security firm GitGuardian and took more than 48 hours to rotate the exposed keys after being notified by KrebsOnSecurity. The incident underscores critical gaps in incident response and secrets management that affect all organizations, not just government agencies.

Technical Analysis

On May 15, 2026, GitGuardian researcher Guillaume Valadon asked KrebsOnSecurity to help notify CISA about a public GitHub repository named "Private CISA." The repository contained 844 MB of data, including a file titled "importantAWStokens" holding administrative credentials to three Amazon AWS GovCloud servers, and "AWS-Workspace-Firefox-Passwords.csv," which listed plaintext usernames and passwords for dozens of internal CISA systems. According to CISA's postmortem, authored by acting CIO Preston Werntz and acting CISO Brad Libbey, the agency's key rotation took longer than anticipated due to "the complexities of the agency's systems and interconnections with federal and industry partners."

Valadon's firm, GitGuardian, constantly scans public code repositories for exposed secrets and had sent nine automated alerts to CISA prior to the KrebsOnSecurity notification. "Letting nine notification emails go unanswered is how a one-day incident becomes a six-month exposure," Valadon wrote in his analysis of the report. The repository sat public for approximately six months before the May 15 notification.

CISA's postmortem acknowledged that its incident response playbook did not include procedures for handling exposures involving GitHub or other cloud services. The agency also admitted its reporting channels were not well defined, leading Valadon to try multiple avenues — emailing the contractor directly, submitting through CISA's vulnerability disclosure platform (designed for product vulnerabilities, not internal incidents), and ultimately involving a reporter. "In CISA's case, these channels were not well defined," the report states.

The agency credited its enhanced logging and zero-trust architecture for enabling it to determine that no customer or mission data was exposed and that the leaked credentials were not used outside CISA's environments. The contractor who exposed the secrets had their system access revoked.

Mitigations & Recommendations

CISA's postmortem and Valadon's analysis offer concrete lessons for security teams. Organizations should continuously scan public code repositories for exposed secrets — quarterly scans are insufficient, as evidenced by the six-month exposure window. Incident response playbooks must explicitly cover cloud service exposures, including GitHub, and define clear, separate reporting channels for internal incidents versus product vulnerabilities. CISA recommends publishing reporting instructions in multiple prominent locations beyond the standard security.txt file. The agency has since rotated all secrets and created an action plan for improved developer secrets management and monitoring.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#cisa#github#credential-leak#postmortem#secrets-scanning#incident-response

Related Articles