US Cyber Agency CISA Left Passwords Exposed Online—Major Oops

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)—the body responsible for protecting America's digital infrastructure—accidentally exposed plaintext passwords and cloud access credentials online.

According to a TechCrunch report, a CISA contractor employee uploaded spreadsheets containing plaintext passwords, access tokens, and cloud keys to a public GitHub repository. The credentials were accessible to anyone with the repository URL.

Security researcher Guillaume Valadon discovered the exposed credentials and reported them immediately. Valadon tested some of the keys and confirmed they worked, meaning they could have granted access to CISA and Department of Homeland Security systems.

CISA advises government agencies to store passwords in secure password managers and never store them in unprotected spreadsheets. The agency violated its own guidance.

When TechCrunch contacted CISA, spokesperson Marco di Sandro said the agency is investigating but stated there is "no indication that any sensitive data was compromised." CISA did not confirm whether it has revoked the exposed credentials or explain how they were leaked.

The timing compounds the problem: CISA has been without a permanent director since January 2025, and the agency lost about a third of its workforce following budget cuts and layoffs.

The exposure was discovered before any unauthorized party used the credentials. However, the incident demonstrates that even the government's top cybersecurity agency is vulnerable to operational failures.