‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub
Passwords were stored as plain text in a public GitHub repository.
by Mike Pearl
Gizmodo, May 18, 2026,
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been leaving the digital keys to its own cloud storage accounts sitting out in the open, in plain text form, for some unknown amount of time, according to a report from Krebs on Security. The problem finally got fixed over the weekend, the report says.
Surely the secret information was buried in some obscure folder with an inscrutable name, I hear you saying. The repository was reportedly named “Private-CISA.”
But there’s no way the contents were that sensitive, you object. But the contents included passwords, keys, and tokens—and the passwords were plain text in a .CSV file.
CISA gave a statement to Krebs, saying the following:
“Currently, there is no indication that any sensitive data was compromised as a result of this incident[…] While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
Since the repository was created in November of last year, the duration of the vulnerability seems to have been about six months—but it could have been much shorter depending on what information as added when.
Continues...
https://gizmodo.com/the-worst-leak-that-ive-witnessed-u-s-cybersecurity-agency-leaves-its-digital-keys-out-in-public-on-github-2000760330
Thanks, Putin.
= new reply since forum marked as read