US cyber agency CISA exposed reams of passwords and cloud keys to the open web

['A potentially catastrophic security breach was averted thanks to the vigilance of a good-faith security researcher who identified a trove of sensitive credentials exposed on the open web. The credentials, which included access tokens, cloud keys, and other sensitive files, were listed in spreadsheets made publicly accessible in a GitHub repository by an employee working for a contractor of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).', 'According to independent security reporter Brian Krebs, GitGuardian security researcher Guillaume Valadon discovered the exposed plaintext credentials.

Valadon told Krebs that the credentials were used to access systems belonging to CISA and its parent agency, the Department of Homeland Security. He verified the validity of some of the keys by testing them. When Valadon reported the lapse to Krebs, the CISA contractor who maintained the GitHub environment did not respond to their alerts.', "The security lapse is particularly embarrassing for CISA, as the agency is responsible for cybersecurity across the civilian federal network and advises on best cybersecurity practices.

These practices include storing passwords in secured password managers, not in unprotected spreadsheets. The incident raises questions about the agency's ability to secure its own network and systems, especially given that it has been without a permanent director since January 20, 2025, when then-CISA director Jen Easterly stepped down.", 'It is unclear if anyone found or used the credentials other than Valadon. A CISA spokesperson did not immediately comment on the incident or provide evidence of a breach stemming from the exposure.

The agency also did not respond to questions about whether it has revoked and replaced the exposed credentials. The incident highlights the challenges facing CISA, which has lost about a third of its workforce following cuts, furloughs, and layoffs since the start of the Trump administration.', "While the incident was traced back to an employee working for a CISA contractor, CISA is ultimately responsible for the security of its own network and systems, including those of contractors who work for the agency. The agency's reputation as a leader in cybersecurity is at stake, and it will need to take swift and decisive action to prevent similar incidents in the future."]