{"id":14269,"date":"2026-07-14T03:04:32","date_gmt":"2026-07-14T03:04:32","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/14\/lessons-learned-from-cisas-recent-github-leak\/"},"modified":"2026-07-14T03:04:32","modified_gmt":"2026-07-14T03:04:32","slug":"lessons-learned-from-cisas-recent-github-leak","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/14\/lessons-learned-from-cisas-recent-github-leak\/","title":{"rendered":"Lessons Learned from CISA\u2019s Recent GitHub Leak"},"content":{"rendered":"<p>    Lessons Learned from CISA\u2019s Recent GitHub Leak<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The <strong>Cybersecurity and Infrastructure Security Agency<\/strong> (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials \u2014 including AWS Govcloud keys \u2014 in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency\u2019s initial response provide important lessons that all security teams should absorb.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\" wp-image-73648 aligncenter\" src=\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2026\/05\/CISA-logo.png?resize=747%2C153&#038;ssl=1\" alt=\"\" width=\"747\" height=\"153\" srcset=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/05\/CISA-logo.png 1873w, https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/05\/CISA-logo-768x157.png 768w, https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/05\/CISA-logo-1536x314.png 1536w, https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/05\/CISA-logo-782x160.png 782w\" sizes=\"(max-width: 747px) 100vw, 747px\"><\/p>\n<p>On May 15, 2026, the security firm <strong>GitGuardian<\/strong> asked for help in notifying CISA about the existence of a public GitHub repository called \u201cPrivate CISA\u201d that included 844 MB of sensitive CISA-related data. One of the exposed files, titled \u201cimportantAWStokens,\u201d included the administrative credentials to three Amazon AWS GovCloud servers. Another file \u2014 \u201cAWS-Workspace-Firefox-Passwords.csv\u201d \u2014 listed plaintext usernames and passwords for dozens of internal CISA systems.<\/p>\n<p>CISA quickly acknowledged our initial alert, but took more than 48 hours to invalidate the AWS keys and many other important secrets leaked in the GitHub repo. In <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/lessons-cisas-cyber-incident\" target=\"_blank\" rel=\"noopener\">its report on the data leak<\/a>, CISA said the complexities of the agency\u2019s systems and interconnections with federal and industry partners caused its key rotation to take longer than anticipated.<\/p>\n<p>\u201cDrawing on this experience, CISA encourages others to maintain mature and well-tested key management capabilities,\u201d the report notes.<\/p>\n<p>CISA also admitted it can do better when it comes to responding to security incident notifications from external parties. The postmortem stresses that clear and distinct reporting channels are essential to ensure that incidents affecting the organization itself are handled differently from those involving its products or customers.<\/p>\n<p>\u201cIn CISA\u2019s case, these channels were not well defined, leading the security researcher to try multiple avenues \u2013 including emailing the contractor, submitting through CISA\u2019s vulnerability disclosure platform (which is intended for vulnerabilities impacting the broader cybersecurity community), and ultimately involving a reporter,\u201d reads the analysis written by <strong>Preston Werntz<\/strong> and <strong>Brad Libbey<\/strong>, the acting chief information officer and acting chief information security officer at CISA, respectively.<\/p>\n<p>CISA said it is refining its reporting channels to make them easier and faster for researchers. \u201cAdditionally, while many researchers rely on the security.txt file, organizations can ensure clarity by publishing reporting instructions in multiple prominent locations,\u201d the CISA authors wrote.<\/p>\n<p><strong>Guillaume Valadon<\/strong>, the GitGuardian researcher who first contacted KrebsOnSecurity about the exposed CISA credentials, said CISA ignored nine automated alerts about the exposed credentials prior to our notification on May 15. Valadon\u2019s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures.<\/p>\n<p>\u201cLetting nine notification emails go unanswered is how a one-day incident becomes a six-month exposure,\u201d Valadon <a href=\"https:\/\/blog.gitguardian.com\/cisa-github-leak-incident-response-lessons\/\" target=\"_blank\" rel=\"noopener\">wrote<\/a> in an analysis of CISA\u2019s report. \u201cMake it trivial to report a leak about you, not just about your products. The person reporting a leak to you is not the threat. Publish a <a href=\"https:\/\/krebsonsecurity.com\/2021\/09\/does-your-organization-have-a-security-txt-file\/\" target=\"_blank\" rel=\"noopener\">security.txt<\/a>, but do not stop there. Put reporting instructions in several prominent places, and make sure a report about your own infrastructure does not land in a product-bug queue.\u201d<span id=\"more-73982\"><\/span><\/p>\n<p>The report\u2019s authors also emphasized the importance of continuously scanning public code repositories like GitHub for exposed secrets, and said CISA has since rotated all secrets and created an action plan to improve management of developer secrets and to better monitor for them going forward.<\/p>\n<p>The report notes that while CISA had developed a playbook for responding to cybersecurity incidents, that playbook somehow didn\u2019t include what to do in situations involving GitHub or other cloud services. Valadon said the report validates the need to scan continuously \u2014 not just quarterly \u2014 for exposed secrets.<\/p>\n<p>\u201cThe Private-CISA repository sat public for six months,\u201d Valadon wrote. \u201cContinuous monitoring of public GitHub surfaced it. Comprehensive internal scanning could have caught the plaintext passwords and committed backups long before they left the building.\u201d<\/p>\n<p>CISA gave itself passing grades on several areas of security preparedness that it said helped the agency gauge the scope and impact of the exposed secrets, including enhanced logging capabilities, and the adoption of zero-trust principles in both its production and development systems. CISA said those detailed logs allowed it to show that no customer or mission data was exposed, and that the leaked credentials were not used outside of CISA\u2019s environments. The agency said the contractor who exposed the secrets had their system access revoked.<\/p>\n<p>Valadon reckons the biggest takeaway is the CISA postmortem itself, and praised the agency for being transparent about what worked and what didn\u2019t.<\/p>\n<p>\u201cTo my knowledge, it is also the first time a national cybersecurity agency has publicly advocated for secrets scanning and for simplifying relations with security researchers,\u201d Valadon wrote. \u201cThat is exactly the incident communication we should expect from every organization.\u201d<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    BrianKrebs<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/krebsonsecurity.com\/2026\/07\/lessons-learned-from-cisas-recent-github-leak\/\">Go to krebsonsecurity<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lessons Learned from CISA\u2019s Recent GitHub Leak The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials \u2014 including AWS Govcloud keys \u2014 in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[188,2580,811,189,1217,2477,55,206,2581],"tags":[72],"class_list":["post-14269","post","type-post","status-publish","format-standard","hentry","category-a-little-sunshine","category-brad-libbey","category-cybersecurity-and-infrastructure-security-agency","category-data-breaches","category-gitguardian","category-guillaume-valadon","category-krebsonsecurity","category-latest-warnings","category-preston-werntz","tag-krebsonsecurity"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14269"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14269"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14269\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}