A Government Security Agency Accidentally Left Secret Passwords Online

A contractor working for the U.S. Cybersecurity and Infrastructure Security Agency — a federal agency responsible for protecting America's computer networks — left sensitive passwords and access keys on a public website for months, according to KrebsOnSecurity. The breach went unnoticed from early 2026 until May of that year.

The contractor had uploaded the files to GitHub, a popular website developers use to share and store code. The folder was named "Private-CISA," but it was set to public, meaning anyone on the internet could read it. Inside were dozens of passwords, security keys, and configuration files that control access to government computer systems.

What Was Exposed

The leaked files included browser bookmarks and saved passwords from Amazon's cloud services, authentication tokens (think of these as digital keys that unlock access), and Kubernetes configuration files — files that control containerized applications running on government servers.

The most sensitive items were credentials to AWS GovCloud, a special isolated section of Amazon's cloud service reserved for federal agencies handling classified or sensitive government work. It's like a locked room inside a locked building. If someone gets the key, they can access whatever's inside.

The leaked files also contained passwords to CISA's internal software repository — a central storage system where government software code is kept and assembled into finished programs. Access to this system could allow someone to insert harmful code into government software.

How This Happened

GitHub has a built-in protection that automatically scans files as developers upload them and blocks anything that looks like a password or security key. The contractor manually turned off this protection.

The folder's name — "Private-CISA" — suggests the contractor knew the information was sensitive. Yet it sat on the public internet anyway. In standard security practice, passwords and access keys should never be stored in code repositories at all. Instead, they should live in separate, locked-down systems designed just for that purpose.

Large organizations typically have rules in place to catch these mistakes. They use automated scanning tools, require colleagues to review each other's work, and conduct security training. None of these safeguards worked in this case.

Why This Matters

The broader context here is that federal agencies now run much of their critical work on commercial cloud services. These cloud platforms are secure — but only if the passwords protecting them stay secret. When passwords leak, the security of government operations is at risk.

The fact that the files stayed public for several months, not just days, raises a question: how did this go unnoticed for so long. In this author's view, it suggests that oversight of contractor work may not be as rigorous as oversight of government employees.

This incident also affects the broader software supply chain. The leaked code repository access could potentially allow an attacker to sneak harmful code into tools and software used across multiple agencies. It's a vulnerability that could spread far beyond CISA.

What Happens Next

CISA has not publicly explained how it will respond. The standard steps would include changing all the exposed passwords immediately, investigating whether anyone unauthorized accessed the systems during those months, and reviewing security practices to prevent this from happening again.

The challenge is knowing what was actually compromised. GitHub keeps public access logs, so investigators can see how many people viewed the files. But determining whether anyone actually misused the exposed passwords requires deeper detective work.

The practical lesson for organizations of all sizes is straightforward: use automated tools to catch leaked passwords before they go public, train people about what data should and should not be in code repositories, and regularly check that these safeguards are actually working. These are not new solutions — they have existed for years. The persistent problem is making sure they are actually used.