CISA Left AWS GovCloud Keys on GitHub for Six Months, Ignored Nine Alerts
The US cyber agency's own postmortem admits it missed automated warnings, muddled its reporting channels, and took two days to rotate leaked admin credentials.

Key points
- A contractor working for the US Cybersecurity and Infrastructure Security Agency (CISA) left 844 MB of internal data in a public GitHub repository called "Private CISA" for nearly six months.
- The exposed files included administrative keys to three Amazon Web Services (AWS) GovCloud servers and a spreadsheet of plaintext usernames and passwords for dozens of internal CISA systems.
- Security firm GitGuardian sent nine automated alerts about the leak before CISA acted on a May 15, 2026 tip routed through KrebsOnSecurity.
- CISA took more than 48 hours to invalidate the leaked AWS keys after being told, blaming the complexity of its federal system connections.
- CISA says its detailed logs show no customer or mission data was accessed, and the contractor's access has been revoked.
This one hurts to write up.
CISA, the federal agency that tells everyone else how to run cloud security, just published a postmortem on how one of its own contractors dumped a pile of admin credentials into a public GitHub repository. GitHub is the site software developers use to store and share code. The repository sat there, open to anyone with a browser, for nearly six months.
Inside were files with names that make any engineer wince. One was called "importantAWStokens" and contained admin keys to three Amazon GovCloud servers, the fenced-off version of Amazon's cloud used by US government agencies. Another, "AWS-Workspace-Firefox-Passwords.csv", listed plaintext logins for dozens of internal CISA systems. Plaintext meaning no encryption, no scrambling, just usernames and passwords sitting in a spreadsheet.
The leak was originally flagged by KrebsOnSecurity after researchers at GitGuardian, a company that scans public code for exposed secrets, got nowhere with automated alerts.
How did CISA miss this for six months?
Because nobody read the emails. GitGuardian sent nine automated notifications to CISA before finally roping in a reporter. In practice, that is how a one-day incident becomes a six-month exposure.
CISA's own writeup, authored by acting CIO Preston Werntz and acting CISO Brad Libbey, is candid about why. The agency had no clear channel for someone to say "hey, your infrastructure is leaking." The GitGuardian researcher tried emailing the contractor. He tried CISA's vulnerability disclosure platform, which is meant for flaws in products CISA oversees, not the agency itself. Nothing worked until a journalist got involved.
The failure mode here is one every large organisation has: the inbox for "our stuff is on fire" is the same inbox as "we found a bug in your product," and the person on triage duty routes it to the wrong queue.
Even after CISA was told, rotating the AWS GovCloud keys took more than 48 hours. The agency blamed "complexities" and interconnections with federal and industry partners. Translation: they did not know everywhere those keys were being used, so pulling them risked breaking things.
What actually went right?
Give credit where it is due. CISA had good logging turned on, and it had adopted zero trust, a security approach where every request is checked rather than trusted just because it came from inside the network. Those two things let investigators prove the leaked credentials were never used from outside CISA's environment, and that no mission or customer data walked out.
The agency has rotated every exposed secret, revoked the contractor's access, and says it is rewriting its incident playbook to actually cover GitHub and other cloud services. Which, yes, should have been in there already.
One thing the post-mortem will say, and did say, is that quarterly scans for leaked secrets are not enough. Continuous scanning of public repositories is table stakes in 2026. If a vendor is still selling you a quarterly report, walk.
GitGuardian's Guillaume Valadon called the report the first time a national cyber agency has publicly told organisations to make it easy to report leaks about themselves, not just about their products. That is a low bar, but it is genuinely useful that CISA cleared it in public.
Operational takeaway: if your only leak-reporting channel is a product security form, you do not have a leak-reporting channel.



