Loading market data...

CISA Left Plaintext Passwords, Cloud Keys Exposed on GitHub for Six Months

The Cybersecurity and Infrastructure Security Agency inadvertently exposed plaintext passwords and cloud access keys on a public GitHub repository for six months. The credentials, stored in the open on the code-sharing platform, could have allowed anyone to access CISA’s internal systems and cloud services. The agency has not said whether the keys were used by unauthorized parties.

The public repository

The repository containing the credentials was set to public, meaning anyone on the internet could view it. GitHub is widely used by developers and organizations to host code, but sensitive data like passwords and API keys should never be committed to a public repository. CISA’s mistake left these credentials plainly readable for anyone who stumbled upon the repository. The agency did not immediately respond to questions about how the repository was discovered or who reported it.

Six months of risk

The exposure lasted six months before being remediated. During that time, the credentials were accessible to anyone who found the repository. With cloud keys, an attacker could potentially sign into CISA’s cloud environment and access data, modify configurations, or use computing resources. Plaintext passwords could unlock other accounts or systems. The longer credentials are exposed, the greater the chance they have been copied and used by bad actors.

Response and next steps

CISA has not announced any specific actions taken beyond removing the credentials from the public repository. It is standard practice to immediately rotate exposed keys and passwords, but CISA has not confirmed whether it did so. The agency also has not said whether it has scanned for unauthorized activity in the affected systems. The incident raises questions about how CISA handles its own security while overseeing cybersecurity for the rest of the federal government. For an agency tasked with protecting federal networks, this kind of lapse is particularly notable. It underscores that even the most security-conscious organizations can make basic operational errors. The repository has since been removed from public view, but who accessed it during the six months remains unknown. The agency has not indicated whether it will change its internal procedures to prevent a similar incident. For now, the full scope of the exposure remains unclear.