The US cybersecurity agency CISA has revealed a large collection of passwords and cloud keys for the open web

US cybersecurity agency CISA may have been spared a major security breach, thanks to a well-intentioned security researcher who identified publicly exposed credentials that allowed access to government cloud systems and internal agency systems.

As first reported by independent security reporter Brian Krebs, Guillaume Valadon, a security researcher at GitGuardian, found large amounts of exposed plain text credentials listed in spreadsheets, which had been made publicly available in a GitHub repository by an employee working for a CISA contractor.

Valadon told Krebs that the exposed credentials were used to access systems belonging to CISA and its parent agency, the Department of Homeland Security. The credentials include access tokens, cloud keys and other sensitive files, Valadon said. Valadon told Krebs that he tested some of the keys to verify their authenticity.

He then reported the error to Krebs because the CISA contractor who maintained the GitHub environment did not respond to his alerts.

This vulnerability is particularly embarrassing for CISA because the US government agency is responsible for cybersecurity across the civilian federal network. The organization also advises on cybersecurity best practices, which includes storing passwords in secure password managers rather than in unprotected spreadsheets.

It’s not clear if anyone found or used the credentials other than Valadon. When contacted by TechCrunch, a CISA spokesperson did not immediately comment or say whether the agency had any evidence of a violation resulting from this exposure. TechCrunch asked whether the agency revoked and replaced the exposed credentials after the incident.

While the incident was traced to an employee working for a CISA contractor, CISA is ultimately responsible for the security of its own network and systems, including contractors who work for the agency.

CISA has been without a permanent director since January 20, 2025, when then-CISA Director Gene Easterly stepped down before the start of the incoming Trump administration. CISA has also lost about a third of its workforce following cuts, furloughs and layoffs since Trump took office.