US cyber agency CISA exposed reams of passwords and cloud keys to the open web

The US Cybersecurity and Infrastructure Security Agency accidentally exposed plaintext passwords and cloud authentication keys on a public GitHub repository, according to independent security journalist Brian Krebs' report shared with TechCrunch.

The exposure occurred when CISA uploaded a spreadsheet containing unencrypted credentials to an open-access GitHub repo. The incident highlights a critical operational security failure at the federal agency responsible for protecting American infrastructure from cyber threats. CISA had not encrypted or rotated the exposed credentials at the time of the report's publication.

The exposed materials included passwords and cloud keys that could grant unauthorized access to CISA systems and infrastructure. Security researchers immediately flagged the severity of leaving such sensitive authentication material on a public platform where anyone could discover and exploit it.

This breach contradicts CISA's own guidance and best practices that the agency promotes across federal and private sector organizations. CISA regularly publishes advisories urging agencies and companies to implement credential management systems, rotate access keys regularly, and never store plaintext passwords in shared repositories or spreadsheets.

The incident raises questions about internal security protocols at the agency. CISA's mission centers on helping federal agencies and critical infrastructure operators defend against cyberattacks. The organization issues binding directives to federal agencies on security practices and maintains public vulnerability databases. Credentials left exposed on GitHub represent exactly the type of preventable security failure CISA works to eliminate across government.

Krebs, who has covered cybersecurity for decades, built his reputation by identifying significant breaches that organizations miss or attempt to hide. His reporting often forces government agencies and major companies to respond to security failures.

The exposure underscores a persistent challenge in cybersecurity. Even organizations with deep security expertise and explicit mandates to protect critical infrastructure struggle with basic credential hygiene. The incident likely prompted CISA to immediately rotate all exposed credentials and conduct an audit of other potential exposures