The Agency That Tells You to Protect Your Credentials Just Left Theirs on GitHub. Here's What It Means for Your Business.
Breaking News Credential Risk May 2026 · 7 min read On May 14, 2026, a security researcher found 844 megabytes of US government credentials sitting in a public GitHub repository named "Private-CISA." The credentials belonged to CISA — the agency whose job is to tell businesses how to protect their credentials. The five lessons from this story apply directly to every SMB in America. The files were named with a frankness that made security researchers do a double-take. One was called "importantAWStokens." Another was "AWS-Workspace-Firefox-Passwords.csv" — a spreadsheet listing plaintext usernames and passwords for dozens of internal government systems. Both were sitting in a public GitHub repository that anyone on the internet could read, download, and use. The repository had been there since November 13, 2025. For six months, credentials granting high-level administrative access to US gover...