Researcher Catches CISA’s Cloud Keys Sitting in the Open Web

The agency tasked with defending America’s civilian government networks nearly handed attackers a way inside. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, had working credentials sitting in plain text on the open web, where anyone could grab them.

Key Takeaways:

• A GitGuardian researcher found CISA and Homeland Security credentials, including access tokens and cloud keys, exposed in plaintext spreadsheets inside a public GitHub repository.

• The repository was maintained by an employee of a CISA contractor, and the researcher confirmed some of the keys actually worked.

• CISA, which advises others to store passwords in secure managers rather than spreadsheets, says it found no sign that sensitive data was compromised.

A researcher acting in good faith spotted the problem first, which is likely the only reason this became a near-miss instead of a full breach.

The discovery came from Guillaume Valadon, a security researcher at GitGuardian, and was first reported by independent journalist Brian Krebs. Valadon found stacks of plaintext credentials sitting in spreadsheets that an employee at a CISA contractor had left publicly readable in a GitHub repository.

Those credentials weren’t trivial. Valadon told Krebs they opened the door to systems run by CISA and its parent, the Department of Homeland Security. The haul included access tokens, cloud keys, and other sensitive files. To be sure he wasn’t crying wolf, Valadon tested some of the keys himself and confirmed they were live.

He didn’t go straight to Krebs out of preference. Valadon first tried to alert the contractor responsible for the GitHub environment, but nobody answered. Only after those warnings went nowhere did he take the issue to a reporter.

The episode stings for an agency in CISA’s position. Its entire job is securing the civilian federal network and telling everyone else how to handle their own security. Part of that advice, repeated often, is to keep passwords inside protected password managers and far away from loose spreadsheets, which is precisely the practice that tripped up its own contractor.

Whether anyone besides Valadon ever stumbled on the credentials remains unknown. When TechCrunch asked, CISA spokesperson Marco DiSandro said the agency is “aware of the reported exposure and is continuing to investigate the situation,” and that there is “no indication that any sensitive data was compromised as a result of this incident.”

The agency stayed quiet on the follow-up questions. It would not say whether it had spotted any breach tied to the exposure, and it didn’t respond when TechCrunch asked whether the leaked credentials had been revoked and swapped out.

The fault traces back to a contractor’s employee, but the responsibility doesn’t stop there. CISA owns the security of its own network and systems, and that ownership extends to the contractors working on its behalf.

The timing lands awkwardly. CISA has had no permanent director since January 20, 2025, the day Jen Easterly stepped down ahead of the incoming Trump administration. The agency has also shed roughly a third of its staff through cuts, furloughs, and layoffs since Trump returned to office, leaving a thinner team to guard a network that just had its own keys left on the doorstep.

Written by Vytautas Valinskas