The Agency That Tells You to Protect Your Credentials Just Left Theirs on GitHub. Here's What It Means for Your Business.

-


Breaking News Credential Risk
May 2026  ·  7 min read

On May 14, 2026, a security researcher found 844 megabytes of US government credentials sitting in a public GitHub repository named "Private-CISA." The credentials belonged to CISA — the agency whose job is to tell businesses how to protect their credentials. The five lessons from this story apply directly to every SMB in America.

The files were named with a frankness that made security researchers do a double-take. One was called "importantAWStokens." Another was "AWS-Workspace-Firefox-Passwords.csv" — a spreadsheet listing plaintext usernames and passwords for dozens of internal government systems. Both were sitting in a public GitHub repository that anyone on the internet could read, download, and use.

The repository had been there since November 13, 2025. For six months, credentials granting high-level administrative access to US government cloud infrastructure were publicly accessible. Not hidden in a dark web marketplace. Not stolen by a nation-state actor. Just sitting there, in plain text, in a folder someone named "Private-CISA" — apparently under the impression that naming a repository "private" makes it private.

The repository belonged to a contractor working for CISA — the Cybersecurity and Infrastructure Security Agency — the branch of the US government whose specific mandate is to improve the nation's cybersecurity posture. The same agency that publishes guidance telling American businesses how to protect their credentials.

844 MB of government credentials exposed publicly — passwords, AWS tokens, SAML certificates, build files GitGuardian / KrebsOnSecurity, May 2026
6 months the repository was publicly accessible before a researcher discovered it — created November 13, 2025 KrebsOnSecurity, May 2026
48 hours the exposed AWS credentials remained valid and functional after the repository was taken down Cyberpress / KrebsOnSecurity, May 2026

What actually happened — the timeline

Incident Timeline — CISA GitHub Credential Exposure
Nov 13, 2025 A Nightwing contractor creates a public GitHub repository named "Private-CISA," apparently using it as a personal file sync tool between a work laptop and a home computer. Sensitive government credentials are included from the beginning. The contractor has explicitly disabled GitHub's built-in secret scanning feature.
Nov–May Regular commits continue over six months. No internal CISA monitoring flags the publicly exposed repository or its contents. 844 MB of credentials, tokens, and build files accumulate in the public repository across the working tree and git history.
May 14, 2026 GitGuardian's automated scanning platform detects the CISA repository. Researcher Guillaume Valadon identifies the exposure and attempts to alert the account owner. Automated notifications go unanswered.
May 15, 2026 Valadon escalates to KrebsOnSecurity. Security researcher Philippe Caturegli of Seralys validates the exposed credentials — confirming they authenticate to three AWS GovCloud accounts at high privilege level. "That would be a prime place to move laterally. Backdoor in some software packages and every time they build something new, they deploy your backdoor," Caturegli warns.
May 18, 2026 CISA takes the repository offline within 26 hours of notification. The story breaks publicly. CISA states there is "currently no indication that any sensitive data was compromised."
48 hrs later The exposed AWS credentials remain valid and functional for nearly 48 hours after the repository is taken down — meaning anyone who copied those credentials during the six-month exposure window could still use them after the repo was gone.
"Passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub secret detection. I honestly believed it was all fake before analyzing the content deeper. This is indeed the worst leak that I've witnessed in my career. It is obviously an individual's mistake, but I believe that it might reveal internal practices." — Guillaume Valadon, GitGuardian researcher, to KrebsOnSecurity.

What the files actually contained

The specific files in the "Private-CISA" repository tell the story clearly:

📁 Private-CISA/ (public repository)
  ├── importantAWStokens             # admin credentials to 3 AWS GovCloud servers
  ├── AWS-Workspace-Firefox-Passwords.csv  # plaintext usernames + passwords, dozens of systems
  ├── LZ-DSO credentials             # access to CISA secure development environment
  ├── Artifactory access             # software build repository — supply chain risk
  ├── SSH keys                       # authentication tokens
  ├── Entra ID SAML certificates     # identity federation credentials
  └── build + deployment logs        # internal system architecture revealed

The Artifactory access deserves specific attention. Artifactory is a repository of all the software packages an organization uses to build its applications. Access to CISA's Artifactory would allow an attacker to insert malicious code into software packages — meaning every future build CISA deploys would contain the attacker's backdoor. That's not a credential breach. That's a supply chain attack on US cybersecurity infrastructure.

The five lessons that apply directly to your business

1

The most dangerous credential threats come from people, not hackers

Human error

No nation-state actor breached CISA. No zero-day exploit was used. A contractor needed to move files between a work laptop and a home computer and chose the path of least resistance. This is the same pattern as 84% of insider incidents: not malice, not sophistication — just someone solving a convenience problem without thinking about security consequences.

Every one of your employees has done something similar or will do it. Without clear policy, approved tools, and monitoring for where sensitive data ends up, your credentials are one convenience decision away from the same outcome.

For your business Provide approved file sync tools so employees don't solve the problem themselves. The contractor didn't create a public GitHub repo because they wanted to expose credentials. They created it because nobody gave them a better option.
2

Disabling security controls is the most dangerous action any employee can take

Control bypass

The contractor deliberately disabled GitHub's secret scanning feature — which exists specifically to prevent sensitive data from being published to public repositories. The commit logs show this was an explicit action. The security control was there. Someone turned it off because it was inconvenient.

In your business: disabling MFA because login is annoying. Turning off automatic updates because the reboot is inconvenient. Exempting admin accounts from password policy because they're trusted. Every deliberate bypass of a security control is a CISA-scale incident waiting to happen at a smaller scale.

For your business Audit which security controls your employees can disable. MFA should be enforced at the identity provider level — not just available, enforced. Controls that can be disabled will eventually be disabled.
3

Six months of undetected exposure is not unusual — it's the documented average

Detection gap

CISA had no internal monitoring that caught this in 180 days. IBM's 2025 research documents the average credential breach detection time at 292 days. CISA outperformed the average — and it still took six months. The detection didn't come from internal monitoring. It came from GitGuardian — a commercial tool that continuously scans public repositories from the outside.

For your business External attack surface monitoring — watching what's publicly visible about your domain, your credentials, and your systems — is what closes the gap that internal monitoring misses. The CISA story is an advertisement for why continuous external visibility matters.
4

Taking down the leak doesn't end the exposure

Remediation gap

After the repository was taken down, CISA's AWS credentials remained valid for 48 hours. Anyone who had accessed those credentials during the six-month window could still use them after the repo was gone. Deleting the source of the leak doesn't invalidate the credentials that were in it.

For your business When you discover a credential exposure — in a breach database, in a shared file, anywhere — the response is rotation, not just removal. Change every exposed credential immediately. The credentials in HIBP from last month are still being tested against your systems today.
5

If it can happen to CISA, it will happen to businesses that take fewer precautions

The upside

CISA has a dedicated security team, sophisticated tooling, and a workforce whose entire job is cybersecurity. They still had a contractor disable secret scanning, store passwords in plain text, and expose government infrastructure for six months. The incident wasn't caused by lack of knowledge — it was caused by the gap between policy and practice.

The upside: the controls that would have prevented this are not sophisticated. A properly configured secret scanning requirement that employees cannot disable would have caught it. A policy that provides approved sync tools would have prevented it. A monitoring system that catches publicly exposed credentials would have detected it. All three are achievable at SMB scale.

For your business CISA failed on fundamentals — controls that can be disabled, credentials in plain text, no external visibility. These are the same fundamentals the 30-minute audit in this series covers. You don't need a government security team to close them.
The CISA incident is also a workforce story. The agency has reportedly lost nearly a third of its staff since early 2025 — dropping from approximately 3,400 employees to around 2,400. Reduced headcount creates exactly the conditions that lead to incidents like this: fewer people reviewing contractor activities, less capacity to enforce policy, and more individual employees making convenience decisions without oversight. Any business that has grown quickly, downsized, or undergone significant staff turnover has the same gaps in oversight.

The question your business should be asking right now

The CISA story ends with a statement that will sound familiar: "Currently, there is no indication that any sensitive data was compromised." This is not reassurance. This is the default statement issued when an organization doesn't yet know the extent of the damage. CISA has no way to know who accessed those credentials during six months of public exposure. Neither do you, if a credential from your business has been sitting in a breach database.

The parallel for small businesses isn't dramatic. It's quiet. A former employee's account still active. A password stored in a shared spreadsheet. A vendor with access that was never revoked. A credential in HIBP that nobody checked. None of these feel like "the worst leak a researcher has witnessed in their career." They feel like administrative tasks that never made it to the priority list.

The CISA contractor didn't think they were doing anything wrong. They were solving a problem. The five checks in this series close those gaps — not because they're sophisticated, but because they're the fundamentals that even the most sophisticated organizations fail to maintain.

Platforms like Veriti Spottr give SMBs continuous external visibility into exactly the signals the CISA incident exposed — publicly accessible credentials, configuration gaps, and attack surface changes that internal monitoring misses. GitGuardian found CISA's leak because they were watching from the outside. Veriti Spottr watches your domain from the outside the same way. Most breaches are found by external observers before internal teams know anything is wrong.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

See what's publicly visible about your domain — before someone else does. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more