CISA, the agency tasked with defending America's critical infrastructure from cyberattacks, just did something that would get most engineers fired: they published their administrative passwords on GitHub for six months.
The U.S. Cybersecurity and Infrastructure Security Agency accidentally exposed administrative credentials for Amazon AWS GovCloud servers, plaintext usernames and passwords, and authentication tokens in a public GitHub repository helpfully named "Private-CISA." The repository had been sitting there since November, completely public, completely accessible to anyone who stumbled across it.
Guillaume Valadon from GitGuardian, the security company that discovered the leak, called it "the worst leak that I've witnessed in my career." And he's not exaggerating. These weren't test credentials or dummy accounts. These were keys to CISA's secure code development environment, the kind of access that would let an attacker move laterally through government systems.
CISA claims there's "no indication that any sensitive data was compromised," which is the cybersecurity equivalent of "we checked and nothing seems to be missing." The breach was reportedly caused by a government contractor employee using GitHub to transfer sensitive materials between work and home devices - a spectacularly bad decision that bypassed every security protocol that should have stopped this.
The technology is impressive. The question is whether anyone needs it. In this case, the technology is GitHub's secret scanning, which did work as designed. The problem is everything else: the contractor who thought public repos were fine for secrets, the review process that didn't catch it, and the six-month gap before discovery. You can't patch organizational culture with better tools.
