CISA Breach: Active AWS Keys and Passwords Exposed for 6 Months
LLM, AI Agents & AI Infrastructure Specialist
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) exposed 844 MB of sensitive data, including AWS keys, passwords, and SAML certificates, in a public GitHub repository for six months. Some credentials were still active, raising concerns about the agency's cybersecurity practices. U.S. lawmakers are now pressing for regulatory reforms and stricter oversight of federal cybersecurity protocols.
The CISA Credential Leak: Key Details and Timeline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), tasked with safeguarding critical national infrastructure, suffered a major breach when 844 MB of sensitive data were left exposed on a public GitHub repository named "Private-CISA."
The repository, publicly accessible from November 2025 to May 2026, contained plaintext passwords, AWS access keys, and sensitive SAML certificates linked to Microsoft Entra ID. This misstep was uncovered by researcher Guillaume Valadon of GitGuardian, who promptly notified CISA. Despite the repository being taken down within 26 hours, the exposure duration has raised significant security concerns. Notably, some of the leaked credentials were still active at the time of discovery, heightening the risk of unauthorized access to critical federal systems.
Broader Implications for Federal Cybersecurity
The fallout from this breach extends beyond the immediate risks posed by the exposed credentials:
- Compromised Federal Systems: Active credentials could have been exploited to infiltrate federal systems, potentially affecting critical public services and national infrastructure.
- Credibility Crisis: The breach has cast doubt on CISA’s ability to safeguard U.S. infrastructure, undermining public trust.
- Systemic Weaknesses: The incident exposes gaps in CISA’s credential management and monitoring protocols.
Cybersecurity expert Brian Krebs reported that the breach underscores the urgent need for federal agencies to adopt more robust monitoring tools and practices.
Political Fallout and Congressional Oversight
The breach has triggered a swift response from U.S. lawmakers. Senator Maggie Hassan of the Senate Homeland Security Committee has requested a classified briefing to investigate the incident. This marks the first significant congressional action on the matter.
Additionally, the incident has reignited debates over federal cybersecurity regulations. Bipartisan calls for enhanced transparency, tighter oversight, and comprehensive audits suggest the possibility of new legislative measures to prevent future breaches.
CISA’s Corrective Measures
In the wake of the breach, CISA has taken several immediate steps to address the vulnerabilities:
- Disabling Leaked Credentials: All exposed credentials, including passwords, keys, and tokens, have been revoked.
