US cybersecurity agency CISA may have been spared a major security breach thanks to an honest security researcher who identified publicly exposed credentials that allowed access to government clouds and internal agency systems.
As first reported by independent security reporter Brian Krebs, GitGuardian security researcher Guillaume Valadon found a large amount of plaintext credentials listed in a spreadsheet exposed. These credentials had been published publicly in a GitHub repository by an employee working for a CISA contractor.
Valadon told Krebs that the compromised credentials were used to access systems belonging to CISA and its parent agency, the Department of Homeland Security. Valadon said the credentials included access tokens, cloud keys and other sensitive files. Mr. Valadon told Mr. Krebs that he had tested some of the keys and confirmed that they were valid.
The CISA contractor maintaining the GitHub environment then reported the revocation to Krebs after failing to respond to the alert.
The security blunder is especially embarrassing for CISA because the U.S. government agency is responsible for cybersecurity across civilian federal networks. The organization also advises on cybersecurity best practices, such as storing passwords in a secure password manager rather than in an unprotected spreadsheet.
It is not clear if anyone other than Valadon found or used this credential. In a statement to TechCrunch, CISA spokesperson Marco Di Sandro said the agency is “aware of the reported disclosure and continues to investigate the situation,” adding: “There is no indication that sensitive data was compromised as a result of this incident.”
CISA did not say whether the agency had seen evidence of a breach resulting from this disclosure. TechCrunch asked if authorities had revoked and replaced the exposed credentials following the incident.
Although this incident traces back to employees working for CISA contractors, CISA is ultimately responsible for the security of its own networks and systems, including those of contractors working for CISA.
CISA has been without a permanent director since then-CISA Director Jen Easterly resigned on January 20, 2025, ahead of the inauguration of the next Trump administration. CISA has also lost about a third of its workforce due to layoffs, furloughs, and layoffs since President Trump took office.
Updated with comment from CISA.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
