--- title: "US cyber agency CISA exposed reams of passwords and cloud keys to the open web" type: "News" locale: "en" url: "https://longbridge.com/en/news/286937105.md" description: "The U.S. cybersecurity agency CISA faced a significant security lapse when a researcher discovered exposed credentials on GitHub, allowing access to sensitive systems. The credentials, linked to a CISA contractor, included access tokens and cloud keys. Despite the breach, CISA has not confirmed any unauthorized use of the credentials. The incident raises concerns about CISA's cybersecurity practices, especially as the agency has been without a permanent director since January 2025 and has seen workforce reductions." datetime: "2026-05-19T15:09:18.000Z" locales: - [zh-CN](https://longbridge.com/zh-CN/news/286937105.md) - [en](https://longbridge.com/en/news/286937105.md) - [zh-HK](https://longbridge.com/zh-HK/news/286937105.md) --- # US cyber agency CISA exposed reams of passwords and cloud keys to the open web U.S. cybersecurity agency CISA may have escaped a sizable security breach, thanks to a good-faith security researcher who identified publicly exposed credentials that allowed access to government cloud and internal agency systems. As first reported by independent security reporter Brian Krebs, GitGuardian security researcher Guillaume Valadon found reams of exposed plaintext credentials listed in spreadsheets, which had been made publicly accessible in a GitHub repository by an employee working for a CISA contractor. Valadon told Krebs that the exposed credentials were used for accessing systems belonging to CISA and its parent agency, the Department of Homeland Security. Valadon said the credentials included access tokens, cloud keys, and other sensitive files. Valadon told Krebs that he tested some of the keys to verify that they were valid. He then reported the lapse to Krebs because the CISA contractor who maintained the GitHub environment did not respond to their alerts. The security lapse is particularly embarrassing for CISA because the U.S. government agency is responsible for cybersecurity across the civilian federal network. The organization also advises on best cybersecurity practices, which includes storing passwords in secured password managers and not in unprotected spreadsheets. It’s not clear if anyone found or used the credentials other than Valadon. When reached by TechCrunch, a CISA spokesperson did not immediately comment or say if the agency has any evidence of a breach stemming from this exposure. TechCrunch asked if the agency has revoked and replaced the exposed credentials following the incident. While the incident was traced back to an employee working for a CISA contractor, CISA is ultimately responsible for the security of its own network and systems, including contractors who work for the agency. CISA has been without a permanent director since January 20, 2025, when then-CISA director Jen Easterly stepped down ahead of the start of the incoming Trump administration. CISA has also lost about a third of its workforce following cuts, furloughs, and layoffs since Trump took office. ## Related News & Research - [ZAWYA: Zain KSA obtains Managed Security Operations Center Tier 2 license](https://longbridge.com/en/news/286674128.md) - [T-MOBILE: FOUNDED NON-PROFIT C2 ISAC TO BOOST CYBERSECURITY PARTNERSHIP WITH 7 OTHER FIRMS INCLUDING AT&T, CHARTER, VERIZON, COMCAST](https://longbridge.com/en/news/286952887.md) - [08:11 ETWinMagic Responds to New CISA OT Guidance With Transport-Layer Identity Architecture](https://longbridge.com/en/news/286768969.md) - [Cybersecurity is no longer optional for any business. These ETFs are built around that reality.](https://longbridge.com/en/news/286669786.md) - [ZAWYA: Knowbe4 launches a new family hub providing cyber safety training for children and adults](https://longbridge.com/en/news/286749233.md)