The US Cybersecurity and Infrastructure Security Agency (CISA) narrowly avoided a major security breach after a researcher discovered exposed credentials that could have granted access to government cloud systems and internal agency networks. The incident raises serious questions about security practices at the very agency charged with protecting America’s civilian federal infrastructure.
The security lapse came to light when Guillaume Valadon, a researcher at GitGuardian, found extensive plaintext credentials stored in publicly accessible spreadsheets on GitHub. The repository belonged to a contractor working for CISA, and the exposed data included access tokens, cloud keys, and other sensitive authentication materials for systems used by both CISA and its parent agency, the Department of Homeland Security.
As reported by independent security journalist Brian Krebs, Valadon tested some of the credentials and confirmed they were valid and active. When the contractor failed to respond to direct alerts about the exposure, Valadon escalated the issue through media channels to ensure it received attention.
The incident is particularly damaging for CISA’s reputation. The agency regularly advises organizations on cybersecurity best practices, including the fundamental rule of storing passwords in secured password managers rather than unprotected spreadsheets. Finding such basic security failures within their own contractor ecosystem undermines their authority on cybersecurity guidance.
When contacted about the breach, CISA spokesperson Marco DiSandro acknowledged that the agency is “aware of the reported exposure and is continuing to investigate the situation.” However, the agency’s response raised more questions than it answered. DiSandro claimed there is “no indication that any sensitive data was compromised,” but CISA refused to confirm whether they had revoked and replaced the exposed credentials or if they had detected any unauthorized access attempts.
The timing of this security failure couldn’t be worse for CISA. The agency has been operating without a permanent director since January 20, 2025, when Jen Easterly stepped down ahead of the Trump administration transition. The leadership vacuum has coincided with significant workforce reductions, with CISA losing approximately one-third of its staff due to cuts, furloughs, and layoffs since the administration change.
This incident highlights a broader challenge in government cybersecurity. While CISA bears ultimate responsibility for securing its networks and systems, much of the actual work happens through contractors. The exposed credentials belonged to a CISA contractor’s repository, but the security failure reflects on the agency’s oversight and vendor management practices.
The discovery also underscores the critical role that independent security researchers play in identifying vulnerabilities. Without Valadon’s responsible disclosure, these credentials could have remained exposed indefinitely, potentially giving malicious actors access to sensitive government systems. The contractor’s failure to respond to initial alerts shows gaps in incident response procedures that could have had serious consequences.
For the broader cybersecurity community, this incident serves as a reminder that even organizations at the highest levels of government security can fall victim to basic security mistakes. It also demonstrates the importance of:
- Regular audits of contractor security practices and repository permissions
- Automated scanning for exposed credentials in code repositories
- Clear incident response procedures that ensure security alerts reach appropriate personnel
- Proper credential management and rotation policies
As CISA continues its investigation, the agency faces pressure to demonstrate that it can effectively secure its own operations while maintaining credibility as the nation’s primary cybersecurity advisor. The incident may prompt renewed scrutiny of how government agencies manage contractor relationships and ensure consistent security standards across their extended networks.