Skip to content

CISA Administrator Exposed AWS GovCloud Keys on GitHub

Bottom line: A CISA contractor stored highly sensitive credentials for AWS GovCloud accounts and internal systems in a public GitHub repository. The leak contained cloud keys, plaintext passwords, and administrative data. Security firm GitGuardian rated this as the most severe government data leak of their career.

A contractor for the US Cybersecurity & Infrastructure Security Agency (CISA) operated a public GitHub repository until the weekend that exposed credentials for multiple high-privileged AWS GovCloud accounts and numerous internal CISA systems. Security experts describe this as one of the most serious US government data breaches in recent history.

Security researcher Guillaume Valadon of GitGuardian discovered the public repository named “Private-CISA,” which contained a wealth of sensitive data: cloud keys, tokens, plaintext passwords, logs, and other confidential CISA resources. Particularly notable is that the repository operator intentionally disabled GitHub’s security setting to block SSH keys and secrets.

A file named “importantAWStokens” contained administrative credentials for three Amazon AWS GovCloud servers. Another file named “AWS-Workspace-Firefox-Passwords.csv” listed usernames and passwords for dozens of internal CISA systems—including systems such as “LZ-DSO” (Landing Zone DevSecOps), the agency’s secure code development environment.

Security consultant Philippe Caturegli confirmed that the exposed AWS keys were fully functional and provided access to high-privileged accounts with broad access to internal systems. According to Caturegli, the repository apparently served as a personal work tool and synchronization mechanism—not as a properly managed project. The use of both CISA-owned and personal email addresses in the Git metadata suggests that the repository was synchronized across different environments.

Share on: