When the Nation's Cyber Watchdog Leaves the Door Wide Open: Lessons from the CISA GitHub Leak

If you've ever wondered whether cybersecurity basics really matter — whether the fundamentals like using a password manager, never storing credentials in plain text, and keeping sensitive files off public repositories are worth the effort — this story should settle the question.

In May 2026, it came to light that a contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) — the very federal agency responsible for protecting America's civilian cyber infrastructure — had been publicly exposing hundreds of megabytes of sensitive government credentials on GitHub since November 2025. We're not talking about a sophisticated breach or an elite nation-state attack. We're talking about passwords stored in a CSV file, cloud keys sitting in a text file, and explicit instructions in the repository to disable GitHub's built-in secret scanning. For six months.

What Happened

On May 14, 2026, security researchers at GitGuardian discovered a public GitHub repository named — somewhat ironically — "Private-CISA." The repository contained 844 MB of data, including:

• Plain-text passwords stored in spreadsheets (including a file literally named AWS-Workspace-Firefox-Passwords.csv)
• AWS GovCloud access tokens for highly privileged government cloud accounts
• Entra ID SAML certificates used for authentication into government systems
• Kubernetes configuration files and CI/CD deployment workflows
• Internal documentation backups, including OneNote exports and infrastructure diagrams
• GitHub and personal access tokens for CISA's own internal systems

Some of those credentials were still valid. GitGuardian researcher Guillaume Valadon tested several keys and confirmed they authenticated successfully against live government systems — including, according to security consultant Philippe Caturegli of Seralys, three AWS GovCloud accounts at a high privilege level.

The repository was traced to an employee of Nightwing, a government contractor based in Dulles, Virginia. Security experts believe the contractor was using the GitHub repository as a way to sync files between a work laptop and a home computer — essentially using a public code repository as a personal file-sharing service for government credentials.

Making matters worse: the commit history showed the contractor had explicitly disabled GitHub's built-in secret scanning — the feature that would have automatically flagged and blocked sensitive credentials from being published publicly.

"Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature," GitGuardian's Guillaume Valadon told KrebsOnSecurity. "This is indeed the worst leak that I've witnessed in my career."

The Timeline

The sequence of events underscores both how long exposures can go undetected and how responsive the right disclosure process can be:

• November 13, 2025 — The "Private-CISA" repository is created and credentials begin accumulating publicly on GitHub
• May 13, 2026 — GitGuardian's automated monitoring detects the leak; nine notification emails are sent to the commit author — all ignored
• May 14, 2026 — GitGuardian formally reports the leak to CERT/CC and begins working contacts to escalate
• May 15, 2026 — With no response and the weekend approaching, GitGuardian contacts journalist Brian Krebs, who relays the disclosure to CISA contacts directly
• May 15, 2026, ~6:00 PM EST — The repository is taken offline, roughly 26 hours after GitGuardian's initial report

The good news: a legitimate security researcher found it first and disclosed responsibly. The bad news: the credentials had been sitting in the open for six months, and according to Caturegli, the exposed AWS keys continued to remain valid for another 48 hours after the repository was taken down.

CISA's official statement acknowledged the exposure and said there is "no indication that any sensitive data was compromised." However, the agency declined to confirm whether credentials had been revoked or how long it took to respond.

Why This Matters to Your Business

You might be reading this and thinking: "That's a government problem. We're a small business." But here's the thing — the human behaviors that caused this breach happen in organizations of every size, every day.

The CISA contractor wasn't a malicious insider or a compromised account. By all accounts, this was someone trying to be productive — syncing files between two computers — using an unsecured, familiar tool (GitHub) out of convenience. That's the same instinct that leads employees to email themselves documents, store passwords in browser-synced spreadsheets, or keep a "master password list" in Google Sheets.

The difference between a CISA-scale incident and a quiet credential rotation is often just whether anyone noticed.

There's also important context here: CISA has been operating without a permanent director since January 20, 2025, and has lost approximately a third of its workforce due to cuts, furloughs, and layoffs since early 2025. Diminished oversight and reduced staffing create the gaps where incidents like this fester undetected.

Even the most sophisticated, well-resourced security agencies are vulnerable when the basics slip. If CISA can have an open plain-text password file on the public internet for six months, your organization can too — unless you have controls in place to prevent it.

What Every Business Should Take Away

1. Never Store Credentials in Plain Text — Anywhere

Passwords and tokens do not belong in spreadsheets, text files, Word documents, or email. Period. Use a dedicated password manager (Bitwarden, 1Password, or similar) for individuals; use a secrets management solution (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) for applications and infrastructure. The cost is minimal. The alternative is a Firefox-Passwords.csv on GitHub.

2. Rotate Credentials — Especially When Someone Leaves or a Project Ends

Credentials that never expire become credentials that never get reviewed. Establish a rotation schedule for service accounts, API keys, and cloud tokens. If a contractor relationship ends, audit and rotate everything they had access to immediately.

3. Scan Your Code Repositories for Secrets

Tools like GitGuardian (the same firm that found this leak), TruffleHog, and GitHub's native secret scanning can automatically detect when credentials are committed to a repository — before they're ever made public. These tools integrate directly into your CI/CD pipeline and can block a push that contains a secret. This is one of those controls that pays for itself the first time it catches something.

4. Apply the Principle of Least Privilege

The exposed CISA credentials were administrative — they could authenticate to three AWS GovCloud accounts at a high privilege level. If the contractor had only the access needed for their specific job, the blast radius of this exposure would have been dramatically smaller. Review who has access to what, and reduce it to the minimum necessary.

5. Have an Incident Response Plan Before You Need One

GitGuardian sent nine automated alerts to the commit author before escalating. Those alerts went ignored. An effective incident response plan means that when a security tool raises a flag — whether it's a secret detection alert, an anomalous login, or an endpoint warning — someone is responsible for triaging it in a defined timeframe. "Set it and forget it" security tools only work if someone is watching.

6. Contractor and Third-Party Risk Is Your Risk

The CISA breach wasn't caused by a CISA employee — it was a contractor. But CISA is responsible for its own security posture, and so are you. When your contractors, vendors, or IT partners handle your credentials or work in your environment, their security hygiene becomes your exposure. Include contractors in your security policies, access reviews, and offboarding procedures.

The Bottom Line

There's a tempting narrative here about irony — the cybersecurity agency that tells everyone else how to stay secure couldn't keep its own credentials off GitHub. But the more useful takeaway isn't schadenfreude. It's this: if an agency staffed by cybersecurity professionals can make these mistakes, any organization can.

The behaviors that led to this breach — storing passwords in spreadsheets, using public tools for private files, disabling security controls for convenience — are common. They're human. The goal isn't to shame the people involved; it's to recognize that good security requires systems and controls that make it easy to do the right thing and hard to accidentally expose the wrong thing.

At Poole Associates, we help businesses in the Charlotte region build those systems — the policies, tools, and processes that catch mistakes before they become incidents. If you're not sure whether your credentials, repositories, or cloud keys are properly protected, that's worth a conversation.

The Private-CISA repository is gone. But the lesson it left behind is worth keeping.

---

Sources: TechCrunch (Zack Whittaker, May 19, 2026), GitGuardian Blog (Guillaume Valadon, May 19, 2026), KrebsOnSecurity (Brian Krebs, May 18, 2026)