Cybersecurity

CISA Credentials Found In Public Repo

TL;DR: The US Cybersecurity and Infrastructure Agency (CISA) accidentally exposed sensitive credentials, including plaintext passwords and SSH keys, in a public GitHub repository. The repository, discovered by security firm GitGuardian, was accessible for an extended period before being taken offline after a security researcher reported the issue.

By Neeraj DhimanArs Technica2h ago1 min readupdated 2h ago

Source

Key facts

Category: Cybersecurity
Impact: Low
Published: 2h ago
Source: Ars Technica

Full summary

The US Cybersecurity and Infrastructure Agency (CISA) exposed plaintext passwords, SSH keys, and other sensitive credentials in a public GitHub repository.

The US Cybersecurity and Infrastructure Agency (CISA) inadvertently exposed a large collection of sensitive credentials in a public GitHub repository. The exposed data included plaintext passwords, SSH private keys, and access tokens. The repository, ironically named "Private-CISA," was discovered by the security firm GitGuardian during a routine scan of public code. Security researcher Brian Krebs reported the incident after the firm's attempts to contact the repository's owner were unsuccessful. The repository, which had been public for an extended period, has since been removed.

This incident represents a significant security failure for an organization central to US cybersecurity efforts. The exposure of such critical credentials could have provided malicious actors with access to sensitive government infrastructure and systems. For businesses and development teams, this event underscores the critical importance of never hardcoding secrets like passwords or API keys directly into source code. It also highlights the value of using automated secret scanning tools within the development pipeline to catch such mistakes before they become public. The case serves as a powerful reminder that even expert organizations are susceptible to basic security errors, reinforcing the need for robust security protocols and regular code audits.

Why it matters

This is a significant security lapse for a top US cybersecurity agency, highlighting that even expert organizations can make fundamental errors. It serves as a critical reminder for all development and security teams about the dangers of hardcoding secrets and the necessity of automated code scanning.

Business impact

The exposure of credentials could have led to unauthorized access to critical government systems. For businesses, this incident reinforces the need for strict security protocols, regular code audits, and automated tools to prevent similar costly and reputation-damaging mistakes.