Researcher Finds Public GitHub Repo Exposing Sensitive CISA Credentials

The episode recounts how GitGuardian security researcher Guillaume Valadon, while monitoring public GitHub for leaked secrets, discovered a publicly accessible repository labeled "CISA-Private" containing highly sensitive CISA materials, including internal DHS/CISA credentials, cloud keys, tokens, plaintext passwords, logs, and files such as "Important AWS Tokens" and a CSV listing usernames and passwords for internal systems. Believing a contractor likely used GitHub to move work from a work device to a home device, Valadon escalated via responsible disclosure to CERT, then involved journalist Brian Krebs to reach CISA faster when the repo remained public.

After additional outreach, the repository was made inaccessible within about a day, and Valadon praises CISA's response speed. The discussion emphasizes widespread poor secret hygiene, governance, training, and the need for organizations to monitor, rehearse, and automate detection and revocation of leaked secrets.

Cybersecurity Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material[dot]security.

00:00 Weekend Welcome Sponsor
00:27 CISA Secrets Leak Found
03:29 Calling Brian Krebs
05:06 Meet GitGuardian Researcher
07:26 Why Leaks Happen Everywhere
10:49 Inside the CISA Repo
13:19 Disclosure and Takedown
17:04 Lessons for Organizations
22:47 Aftermath and Thanks
24:36 Show Wrap Sponsor Outro