The Cybersecurity and Infrastructure Security Agency is investigating a security lapse involving the public exposure of plaintext administrative credentials that granted access to government cloud networks and internal agency infrastructure. Discovered by GitGuardian security researcher Guillaume Valadon, the sensitive access keys had been uploaded to a public repository on the software development platform GitHub. The data exposure originated from an employee working for an external private contractor hired by the federal cyber defense unit.
Exposed Access Files and Administrative Validation
The compromised information was aggregated within plaintext spreadsheets containing access tokens, cloud storage keys, and sensitive configuration files belonging to the agency and its parent body, the Department of Homeland Security. Valadon discovered the exposed data during routine research and subsequently validated a subset of the security keys to confirm they remained active on active government systems. The researcher attempted to notify the private contracting company regarding the administrative vulnerability, but routed the intelligence to independent security journalist Brian Krebs after the corporate entity failed to respond to direct alerts.
Institutional Mandates and Structural Workforce Deficits
The data exposure presents an administrative complication for the organization, which serves as the primary federal authority responsible for establishing civilian cyber defense policies and advocating for secure cryptographic password management. The incident follows an extended period of leadership vacancy at the agency, which has operated without a permanent director since Jen Easterly resigned from the post on 20 January 2025. Furthermore, the operational capacity of the bureau has contracted by approximately one-third due to a series of federal budget cuts, employee furloughs, and targeted staff layoffs implemented under the current presidential administration.
Contamination Containment and Investigative Status
Agency spokesperson Marco DiSandro stated that the organization is actively investigating the parameters of the credential exposure, noting that current forensic logs show no definitive indications that unauthorized actors compromised or extracted sensitive federal data. The bureau declined to specify whether network administrators have completed the revocation and rotation of all exposed digital certificates. It remains unconfirmed whether malicious cyber actors discovered or utilized the plaintext spreadsheets prior to the researcher securing the repository.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.