The US cybersecurity agency CISA may have escaped a major security breach, thanks to a bona fide security researcher who identified publicly exposed credentials that allowed access to government cloud systems and internal services.
As first reported by freelance security reporter Brian Krebs, GitGuardian security researcher Guillaume Valadon found bundles of exposed plaintext credentials listed in spreadsheets that had been made publicly accessible in a GitHub repository by an employee working for a CISA contractor.
Valadon told Krebs that the exposed credentials were used to access systems owned by CISA and its parent agency, the Department of Homeland Security. Valadon said the credentials included access tokens, cloud keys and other sensitive files. Valadon told Krebs that he tested some of the keys to verify they were valid.
He then reported the bug to Krebs because the CISA contractor maintaining the GitHub environment didn’t respond to their notifications.
The security breach is particularly troubling for CISA because the US government agency is responsible for cyber security across the civilian federal network. The organization also advises on cyber security best practices, which include storing passwords in secure password managers rather than unprotected spreadsheets.
It is unclear whether anyone other than Valadon found or used the credentials. When reached by TechCrunch, CISA spokesman Marco Di Sandro said the agency is “aware of the reported exposure and continues to investigate the situation” and that “there is no indication that any sensitive data was compromised as a result of this incident.”
CISA won’t say whether the agency has seen evidence of a breach stemming from that report. TechCrunch asked if the service has retracted and replaced the exposed credentials since the incident.
While the incident was traced to an employee working for a CISA contractor, CISA is ultimately responsible for the security of its network and systems, including contractors working for the agency.
CISA has been without a permanent director since January 20, 2025, when then-CISA director Jen Easterly resigned before the start of the new Trump administration. CISA has also lost approx one third of its workforce after cuts, layoffs and layoffs since Trump took office.
Updated with comment from CISA.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
