The U.S. cybersecurity agency CISA narrowly avoided a significant security breach due to a good-faith security researcher who found publicly exposed credentials granting access to government cloud and internal agency systems.
GitGuardian security researcher Guillaume Valadon discovered exposed plaintext credentials in spreadsheets made public in a GitHub repository by an employee of a CISA contractor. This was initially reported by independent security reporter Brian Krebs. Valadon stated these credentials were used to access systems belonging to CISA and the Department of Homeland Security, including access tokens, cloud keys, and sensitive files. He verified their validity by testing some keys and subsequently reported the issue to Krebs after receiving no response from the CISA contractor maintaining the GitHub environment.
This security lapse is particularly embarrassing for CISA, as the agency oversees cybersecurity for the civilian federal network and advises on best practices, including secure password storage.
It remains unclear if anyone besides Valadon found or used the credentials. When contacted by TechCrunch, a CISA spokesperson did not provide immediate comment or confirm if any breach resulted from the exposure. TechCrunch also inquired if the exposed credentials were revoked and replaced.
Although traced back to an employee of a CISA contractor, CISA holds ultimate responsibility for the security of its networks and systems, including those involving contractors. CISA has been without a permanent director since January 2025, following the resignation of then-director Jen Easterly prior to the Trump administration’s commencement. Additionally, CISA has lost about a third of its workforce due to cuts, furloughs, and layoffs since Trump assumed office.
(Links in articles may result in small commission earnings, but this does not impact editorial independence.)