The federal cybersecurity agency left plaintext passwords in a spreadsheet uploaded to a public GitHub repository, per a report by independent journalist Brian Krebs.
U.S. cybersecurity agency CISA may have escaped a sizable security breach, thanks to a good-faith security researcher who identified publicly exposed credentials that allowed access to government cloud and internal agency systems.
As first reported by independent security reporter Brian Krebs, GitGuardian security researcher Guillaume Valadon found reams of exposed plaintext credentials listed in spreadsheets, which had been made publicly accessible in a GitHub repository by an employee working for a CISA contractor.
Valadon told Krebs that the exposed credentials were used for accessing systems belonging to CISA and its parent agency, the Department of Homeland Security. Valadon said the credentials included access tokens, cloud keys, and other sensitive files. Valadon told Krebs that he tested some of the keys to verify that they were valid.
He then reported the lapse to Krebs because the CISA contractor who maintained the GitHub environment did not respond to their alerts.
The security lapse is particularly embarrassing for CISA because the U.S. government agency is responsible for cybersecurity across the civilian federal network. The organization also advises on best cybersecurity practices, which includes storing passwords in secured password managers and not in unprotected spreadsheets.
It’s not clear if anyone found or used the credentials other than Valadon. When reached by TechCrunch, a CISA spokesperson did not immediately comment or say if the agency has any evidence of a breach stemming from this exposure. TechCrunch asked if the agency has revoked and replaced the exposed credentials following the incident.
While the incident was traced back to an employee working for a CISA contractor, CISA is ultimately responsible for the security of its own network and systems, including contractors who work for the agency.
CISA has been without a permanent director since January 20, 2025, when then-CISA director Jen Easterly stepped down ahead of the start of the incoming Trump administration. CISA has also lost about a third of its workforce following cuts, furloughs, and layoffs since Trump took office.
Topics CISA , cybersecurity , data exposure , Government & Policy , Security , Trump Administration When you purchase through links in our articles, we may earn a small commission . This doesn’t affect our editorial independence.
Zack Whittaker Security Editor Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security .
He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com .
View Bio May 27 Athens, Greece StrictlyVC Athens is up next. Hear unfiltered insights straight from Europe’s tech leaders and connect with the people shaping what’s ahead. Lock in your spot before it’s gone.
REGISTER NOW Most Popular Elon Musk has lost his lawsuit against Sam Altman and OpenAI Tim Fernholz Users turn to jailbreaking their older Kindles as Amazon ends support Lauren Forristal OpenAI launches ChatGPT for personal finance, will let you connect bank accounts Ivan Mehta US orders travelers on Air Force One to throw away gifts, pins, and burner phones after China trip Lorenzo Franceschi-Bicchierai OpenAI is reportedly preparing legal action against Apple; it wouldn’t be the first partner to feel burned Connie Loizos How to turn off Instagram’s new Instants feature and retract photos you accidentally shared Aisha Malik Musk’s xAI is running nearly 50 gas turbines unchecked at its Mississippi data center Tim De Chant
