Critical AWS GovCloud Credentials Exposed in CISA Contractor's GitHub Repository

In May 2023, a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) was discovered to have posted highly sensitive credentials in a public GitHub repository named "Private-CISA." The leaked data included administrative keys to AWS GovCloud accounts, plaintext passwords for internal systems, and detailed software development procedures. This incident, flagged by security firm GitGuardian, is considered one of the most severe government data leaks in recent history, exposing CISA's internal practices and raising serious concerns about cloud security hygiene.

1. What exactly was leaked from the CISA contractor's GitHub repository?

The repository, titled "Private-CISA," contained a wide array of sensitive information, including administrative credentials for three AWS GovCloud servers, stored in a file named "importantAWStokens." Another file, "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for dozens of internal CISA systems. Additionally, the repository held logs, tokens, and detailed documentation of how CISA builds, tests, and deploys software internally. This created a significant security risk by giving potential attackers a blueprint of CISA's infrastructure and access points.

2. How was the leak discovered?

Security researcher Guillaume Valadon from GitGuardian identified the exposure on May 15, 2023. GitGuardian continuously scans public code repositories for exposed secrets, such as API keys and passwords. Valadon noticed that the repository owner wasn't responding to automated alerts, which prompted him to contact KrebsOnSecurity. The researcher described the find as a textbook example of poor security hygiene, noting that the commit logs showed the account holder had manually disabled GitHub's built-in secrets detection feature.

3. Why is this considered one of the worst government data leaks?

Experts, including Philippe Caturegli of Seralys, called this leak exceptionally egregious because it exposed not only credentials but also internal operational processes. The repository acted as a scratchpad, containing backups, plaintext passwords in CSV files, and explicit commands to disable security features. Unlike isolated credential leaks, this incident provided a comprehensive view of CISA's internal systems—from AWS GovCloud admin access to the agency's secure code development environment (LZ-DSO). The breadth of exposed data could have enabled attackers to mimic legitimate access and potentially disrupt critical national security operations.

4. What does this reveal about CISA's internal security practices?

The incident suggests that individual contractors may be bypassing established security protocols. The use of a public GitHub repository as a personal workstation or synchronization tool indicates a lack of proper oversight and training on secure development practices. The fact that GitHub's secrets detection was deliberately disabled is particularly troubling, as it shows an active effort to circumvent safeguards. While this appears to be an individual mistake, it raises questions about whether such practices are part of a broader culture. CISA has not commented on any internal reviews or corrective actions taken after the leak was reported.

5. How could the exposed credentials have been misused?

The leaked AWS GovCloud keys provided administrative access to three highly privileged cloud environments. In the wrong hands, an attacker could launch virtual machines, access sensitive data, or pivot to other connected systems. The plaintext passwords for internal CISA systems (including the LZ-DSO development environment) would allow unauthorized personnel to log into critical agency tools, modify software in development, or inject malware. Combined with the exposed build and deploy documentation, a sophisticated adversary could replicate CISA's internal environment for espionage or sabotage purposes.

6. What steps could prevent similar leaks in the future?

Organizations should enforce strict policies against storing any secrets in public code repositories. Automated secret scanning tools, like those used by GitGuardian, should be mandatory and cannot be disabled by individual developers. Employee training on secure coding practices and the use of dedicated secret management tools (e.g., AWS Secrets Manager, HashiCorp Vault) is essential. Additionally, regular audits of public-facing repositories and implementing least-privilege access for cloud credentials can minimize the impact of any accidental exposure. Government agencies, in particular, need robust monitoring and swift incident response when leaks occur.

7. What happened after the leak was reported?

Upon receiving the alert from GitGuardian, KrebsOnSecurity contacted the CISA contractor. The repository was taken down shortly thereafter, and the exposed credentials were presumably rotated. However, CISA has not issued a public statement detailing the extent of the breach or any internal consequences for the contractor. The quick removal of the repository likely limited immediate exploitation, but the fact that it remained public for an unknown period means the credentials could have been copied by third parties. No evidence of malicious use has been reported, but the incident underscores the ongoing challenge of securing cloud environments within government agencies.