CISA Data Breach Exposes GovCloud Credentials as Lawmakers Demand Accountability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is facing intense congressional scrutiny after KrebsOnSecurity revealed that a contractor with administrative access to the agency's code development platform published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The incident has raised serious questions about security practices at the very agency charged with protecting federal networks.

According to KrebsOnSecurity, the contractor created a public GitHub profile called "Private-CISA" that included plaintext credentials to dozens of internal CISA systems. Experts who reviewed the exposed secrets noted that the commit logs showed the contractor had deliberately disabled GitHub's built-in protections against publishing sensitive credentials in public repositories.

The Private-CISA GitHub repo exposed dozens of plaintext credentials to important CISA GovCloud resources. The filenames included AWS-Workspace-Bookmarks-April-6-2026.html, AWS-Workspace-Firefox-Passwords.csv, Important AWS Tokens.txt, kube-config.txt, and other sensitive files.

In a written statement, CISA acknowledged the leak but claimed "there is no indication that any sensitive data was compromised as a result of the incident." However, the repository was originally created in November 2025 and contained credentials that were likely exposed to malicious actors, particularly those added in late April 2026.

The incident has prompted swift reaction from lawmakers. Sen. Maggie Hassan (D-NH) sent a letter to CISA's Acting Director Nick Andersen on May 19, raising "serious concerns regarding CISA's internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure."

Rep. Bennie Thompson (D-MS), the ranking member on the House Homeland Security Committee, echoed these concerns in a co-signed letter with Rep. Delia Ramirez (D-Ill). "We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support," Thompson wrote. "The files contained in the 'Private-CISA' repository provided the information, access, and roadmap" for adversaries to compromise federal networks.

A May 19 letter from Sen. Margaret Hassan (D-NH) to the acting director of CISA demanded answers to a dozen questions about the breach.

The breach comes amid significant internal turmoil at CISA, which has lost more than a third of its workforce and almost all senior leadership after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency's divisions.

Technical experts have highlighted the severity of the exposure. Dylan Ayrey, creator of TruffleHog, an open-source tool for discovering private keys in public code repositories, told KrebsOnSecurity that CISA initially failed to invalidate an RSA private key exposed in the Private-CISA repo. This key granted access to a GitHub app owned by the CISA enterprise account and installed with full administrative access to all code repositories.

"An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys," Ayrey explained.

CI/CD (Continuous Integration and Continuous Delivery) refers to automated practices for building, testing and deploying software. A compromised CI/CD pipeline could allow attackers to insert malicious code into production systems.

Ayrey noted that Truffle Security monitors GitHub and other code platforms for exposed keys and attempts to alert affected accounts. However, he emphasized that cybercriminal actors also monitor these public feeds and are quick to exploit inadvertently published credentials.

"We have evidence attackers monitor that firehose as well," Ayrey said. "Anyone monitoring GitHub events could be sitting on this information."

Twitter image of the CISA logo.

The incident highlights broader challenges in securing development environments. James Wilson, enterprise technology editor for Risky Business security podcast, noted that organizations can implement top-down policies preventing employees from disabling GitHub's protections against publishing secret keys.

However, his co-host Adam Boileau pointed out that technical controls alone cannot prevent employees from using personal accounts to store sensitive information. "Ultimately, this is a thing you can't solve with a technical control," Boileau said. "This is a human problem where you've hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine."

As of late May, CISA was still working to invalidate and replace many of the exposed keys and secrets, more than a week after being first notified by the security firm GitGuardian. The agency stated it is "actively responding and coordinating with the appropriate parties and vendors to ensure any identified leaked credentials are rotated and rendered invalid."

For organizations managing sensitive code and credentials, this incident serves as a critical reminder of the importance of:

1. Implementing strict policies against using personal accounts for work-related code storage
2. Regular auditing of public repositories for exposed credentials
3. Implementing automated tools to detect and respond to credential exposures
4. Ensuring proper credential rotation procedures are in place
5. Maintaining visibility into all development environments, including contractor access

The breach underscores that even organizations with the highest security mandates can fall victim to basic security lapses when proper controls and oversight are not maintained. The CISA agency, tasked with protecting federal networks, must now demonstrate it can secure its own systems while addressing the broader challenges of insider threats and contractor security.