Researcher Says CISA Contractor Left Cloud Login Data Publicly Accessible On GitHub

A security researcher says large numbers of plain-text login credentials and cloud access keys tied to the Cybersecurity and Infrastructure Security Agency were posted in a public Git repository, potentially exposing federal systems. The credentials — described as login tokens, cloud access keys and other sensitive files — were discovered in spreadsheets that a contractor employee had uploaded, according to the researcher and subsequent reporting.

Guillaume Valadon of security firm GitGuardian found the files and, after validating several of the keys to confirm they worked, alerted security reporter Brian Krebs when a contractor contact did not respond to his warnings. Valadon said the exposed records provided access to systems belonging to CISA and its parent agency, the Department of Homeland Security. It’s not known whether anyone else saw or used the information before it was discovered.

CISA acknowledged the report and said it is looking into the matter, adding there’s currently no sign that any sensitive information was taken as a result of the exposure. A CISA spokesperson declined to say publicly whether the agency has evidence of an intrusion tied to the exposed credentials or whether those credentials have been revoked and replaced.

The episode has drawn criticism because CISA issues guidance to federal agencies and private organizations on how to safeguard credentials, including recommending encrypted password managers rather than unprotected spreadsheets. While the immediate posting appears to have originated with a contractor employee, CISA bears responsibility for the security of its networks and the oversight of contractors who handle sensitive data.

The agency’s staffing and leadership situation has heightened scrutiny. CISA has been operating without a permanent director since Jan. 20, 2025, when its previous leader left, and the organization has lost roughly one in three staff members amid cuts, furloughs and layoffs since the change in administration. A former federal cybersecurity official, speaking on the condition of anonymity, said those reductions can strain oversight of third-party vendors and urged more frequent audits and stricter controls on credential handling.

Investigations are ongoing and the incident underscores persistent risks when sensitive secrets are stored in publicly accessible locations. CISA’s initial public comment was added after the disclosure.