>Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.
obviously leaking the credentials itself is crazy, given that its (a contractor to) CISA, but to not respond when notified? crazy crazy.
but wait! it gets worse somehow
"“AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems"
while i understand and sympathize with the fact that CISA is kind of being gutted, a passwords.csv with weak passwords is inexcusable incompetence. not much budget is required for a password manager.
embarrassing all around.
show comments
epistasis
I think one thing that people are sleeping on is passing a ton of secrets to OpenAI and Anthropic or your OpenRouter by having a .env or secrets on disk in your repo, but not checked in
Your LLM will happily read the entire file, ship it off to be training data for future versions of ChatGPT, and not raise any flags, because let's be fair it was on ok thing to check if all the env vars were set, or it you had set up the database password for the app.
It's time for orgs to audit and rotate secrets wherever they are stored in disk or in logs, and switch to SOPS or Vault or whatever to keep these out if plaintext except exactly when needed.
show comments
protastus
In 2026, storing government credentials in a repo and not having scanners to flag it should be investigated. I am highly suspicious of anyone doing this in a professional capacity. If I worked at a foreign intelligence agency and saw this, I would first think it's a honeypot, and an unimaginative one because it's so lacking in subtlety.
Looks like someone needs to go take 27 training modules. That'll fix it.
dantiberian
GitHub has automatic secret scanning on all public repositories which notifies AWS if access keys are pushed. I would have expected these tokens to be immediately revoked by AWS. Is there something different about GovCloud access keys so they weren't detected?
show comments
morpheuskafka
The repo name was literally "Private-CISA". Would be fun to (a) search through repo names with private/internal/etc in them and (b) search for govt agency / non-tech company that otherwise wouldn't be expected to appear in repo names. Could probably clone them all and then have an LLM quickly scan for interesting stuff.
Also, doesn't Github have its own automated scanner for something as basic as a AWS credential?
show comments
nijave
Ironically they could have used those AWS keys to use one of the many AWS services that's more secure.
For example S3 (ideally with KMS), Parameter Store (ideally with KMS), EBS, EFS, AWS Secrets Manager, even just KMS to directly encrypt the files
Really any AWS service that supports KMS and doesn't require giving the service principal access to the key
itintheory
I'm surprised that this has apparently been ongoing for 6-7 months. I thought outfits like GitGuardian, or solo researchers with trufflehog (etc) would find leaked keys in days, not months. Maybe this is related to the major growth of github? The scanners can't keep up?
dcrazy
What makes this truly sad is that the federal government has had smartcard-based authentication (CAC) for decades. Yet because the public internet stack runs on passwords, so too does government infrastructure.
> but this administration clearly had no idea what they were getting themselves into and did not plan accordingly.
chrismarlow9
Sounds about right. Security is a joke everywhere right now. First to market is all that matters anymore and security is the very first thing to be thrown out when it stands in the way.
show comments
bilekas
I would be fired for this. Probably not able to ask for a refenerce and forever be the butt of a joke between friends and colleagues.
Seems like no big deal for CISA. Defunded really paying off now.
snihalani
Do they not believe in encrypted files?
passive
Uh, so it says this dates from Nov 2025.
Nov 2025 was also when most of us learned about the acting Chief Security Officer at DHS, whose name AND photo seem exactly like the calling card of someone who had these "keys to the kingdom". https://bsky.app/profile/andylevy.net/post/3m6ivhnthts2o
I want to believe...
show comments
tedggh
This seems like an act of sabotage disguised as incompetence.
ttul
Yet another argument for the death of the API key. Replacements abound; let's get on with it.
>Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.
obviously leaking the credentials itself is crazy, given that its (a contractor to) CISA, but to not respond when notified? crazy crazy.
but wait! it gets worse somehow
"“AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems"
while i understand and sympathize with the fact that CISA is kind of being gutted, a passwords.csv with weak passwords is inexcusable incompetence. not much budget is required for a password manager.
embarrassing all around.
I think one thing that people are sleeping on is passing a ton of secrets to OpenAI and Anthropic or your OpenRouter by having a .env or secrets on disk in your repo, but not checked in
Your LLM will happily read the entire file, ship it off to be training data for future versions of ChatGPT, and not raise any flags, because let's be fair it was on ok thing to check if all the env vars were set, or it you had set up the database password for the app.
It's time for orgs to audit and rotate secrets wherever they are stored in disk or in logs, and switch to SOPS or Vault or whatever to keep these out if plaintext except exactly when needed.
In 2026, storing government credentials in a repo and not having scanners to flag it should be investigated. I am highly suspicious of anyone doing this in a professional capacity. If I worked at a foreign intelligence agency and saw this, I would first think it's a honeypot, and an unimaginative one because it's so lacking in subtlety.
They also uploaded sensitive docs in chatgpt [1]
[1] https://www.politico.com/news/2026/01/27/cisa-madhu-gottumuk...
Looks like someone needs to go take 27 training modules. That'll fix it.
GitHub has automatic secret scanning on all public repositories which notifies AWS if access keys are pushed. I would have expected these tokens to be immediately revoked by AWS. Is there something different about GovCloud access keys so they weren't detected?
The repo name was literally "Private-CISA". Would be fun to (a) search through repo names with private/internal/etc in them and (b) search for govt agency / non-tech company that otherwise wouldn't be expected to appear in repo names. Could probably clone them all and then have an LLM quickly scan for interesting stuff.
Also, doesn't Github have its own automated scanner for something as basic as a AWS credential?
Ironically they could have used those AWS keys to use one of the many AWS services that's more secure.
For example S3 (ideally with KMS), Parameter Store (ideally with KMS), EBS, EFS, AWS Secrets Manager, even just KMS to directly encrypt the files
Really any AWS service that supports KMS and doesn't require giving the service principal access to the key
I'm surprised that this has apparently been ongoing for 6-7 months. I thought outfits like GitGuardian, or solo researchers with trufflehog (etc) would find leaked keys in days, not months. Maybe this is related to the major growth of github? The scanners can't keep up?
What makes this truly sad is that the federal government has had smartcard-based authentication (CAC) for decades. Yet because the public internet stack runs on passwords, so too does government infrastructure.
It looks like CISA should employ a CISA.
https://www.cisa.gov/
https://www.isaca.org/credentialing/cisa
> but this administration clearly had no idea what they were getting themselves into and did not plan accordingly.
Sounds about right. Security is a joke everywhere right now. First to market is all that matters anymore and security is the very first thing to be thrown out when it stands in the way.
I would be fired for this. Probably not able to ask for a refenerce and forever be the butt of a joke between friends and colleagues.
Seems like no big deal for CISA. Defunded really paying off now.
Do they not believe in encrypted files?
Uh, so it says this dates from Nov 2025.
Nov 2025 was also when most of us learned about the acting Chief Security Officer at DHS, whose name AND photo seem exactly like the calling card of someone who had these "keys to the kingdom". https://bsky.app/profile/andylevy.net/post/3m6ivhnthts2o
I want to believe...
This seems like an act of sabotage disguised as incompetence.
Yet another argument for the death of the API key. Replacements abound; let's get on with it.