Cyber Security

Lessons Learned from CISA’s Latest GitHub Leak – Krebs on Security

I Cybersecurity and Infrastructure Security Agency (CISA) has issued a death toll on a recent data leak in which a contractor published a trove of CISA’s internal credentials — including AWS Govcloud keys — to a public GitHub repository about six months before it was notified by KrebsOnSecurity. Experts say the gaps revealed in the agency’s initial response offer important lessons that all security teams should take note of.

On May 15, 2026, the defense company GitGuardian asked for help informing CISA about the existence of a GitHub repository called “CISA Confidential” containing 844 MB of sensitive CISA-related data. One of the leaked files, titled “importantAWStokens,” includes administrative credentials for three Amazon AWS GovCloud servers. Another file — “AWS-Workspace-Firefox-Passwords.csv” — lists usernames and passwords for dozens of internal CISA systems.

CISA quickly acknowledged our initial warning, but it took more than 48 hours to deactivate the AWS keys and many other important secrets leaked from the GitHub repo. In its report on the data leak, CISA said the complexity of the agency’s systems and communications with government and industry partners caused its critical rotation to take longer than expected.

“Using this experience, CISA encourages others to maintain critical management skills that are mature and well-tested,” the report notes.

CISA also acknowledged that it could do better when it comes to responding to security incident notifications from outside parties. The postmortem emphasizes that clear and transparent reporting processes are essential to ensure that incidents affecting the organization itself are handled differently from those involving its products or customers.

“In the case of CISA, these channels were not well defined, which led the security researcher to try many methods – including sending an email to the contractor, sending it through the CISA vulnerability disclosure platform (targeted at risks affecting the Internet security community), and finally involving the journalist,” reads the analysis written by. Preston Werntz again Brad Libbeyacting chief information officer and acting chief security officer at CISA, respectively.

CISA said it is adjusting its reporting procedures to make it easier and faster for researchers. “Furthermore, although many researchers rely on the security.txt file, organizations can ensure clarity by publishing reporting instructions in more prominent places,” the CISA authors wrote.

Guillaume Valadona GitGuardian researcher who first contacted KrebsOnSecurity about CISA’s leaked data, said CISA ignored nine automatic warnings about leaked data before our notice on May 15. Valadon’s company regularly scans public code repositories on GitHub and elsewhere for leaked secrets, automatically alerting them to potentially revealing data.

“Allowing nine notification emails to go unanswered is how a one-day incident becomes a six-month exposure,” Valadon wrote in his analysis of the CISA report. “Make it a point to report leaks about yourself, not just about your products. The person reporting the leak to you is not a threat. Publish the security.txt, but don’t stop there. Put reporting instructions in a few prominent places, and make sure the report about your infrastructure doesn’t fall into the product-bug line.”

The report’s authors also stressed the importance of continuing to scan public code repositories like GitHub for leaked secrets, and said CISA is circulating all secrets and creating an action plan to improve developer secrets management and better monitoring going forward.

The report notes that while CISA had developed a playbook for responding to cybersecurity incidents, that playbook did not include what to do in situations involving GitHub or other cloud services. Valadon said the report confirms the need to scan continuously – not just quarterly – for exposed secrets.

“The Private-CISA repository remained public for six months,” Valadon wrote. “Continuous monitoring of public GitHub has evolved. Full internal scans can catch sensitive passwords and backups long before they leave the building.”

CISA gave itself passing marks in several areas of security preparedness that helped the agency measure the scope and impact of disclosed secrets, including improved logging capabilities, and the adoption of antitrust principles in both its manufacturing and development systems. CISA said those detailed logs allowed it to show that no customer or device data was exposed, and that the leaked data was not used outside of CISA’s premises. The agency said the contractor who disclosed the secrets has been withdrawn from the program.

Valadon considers that the biggest takeaway was the postmortem of CISA itself, and praised the agency for being transparent about what worked and what didn’t.

“To my knowledge, this is the first time that a national cybersecurity agency has publicly advocated declassifying and facilitating relationships with security researchers,” Valadon wrote. “That’s exactly the type of incident communication we should expect from all organizations.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button