CISA Shares Lessons Learned from Public GitHub Data Leak
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has detailed its response and recommendations following a data leak incident where sensitive information was exposed on a public GitHub repository.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has publicly shared critical lessons learned from a data leak incident that occurred on November 13, 2025. The incident involved a public GitHub repository named "Private-CISA" which inadvertently exposed 844 megabytes of data. This sensitive information included valid plaintext passwords, AWS tokens, and Entra ID SAML certificates, alongside internal documentation and personal files, according to the secrets-scanning service GitGuardian.
Researchers from GitGuardian began attempting to notify CISA about the exposure on May 14, 2026, and successfully alerted the agency the following day. CISA's swift response saw the repository taken offline within 26 hours of the initial notification, a speed that GitGuardian's cybersecurity researcher Guillaume Valadon lauded, noting that such rapid fixes are uncommon. CISA's "after-action report" highlighted several aspects that worked well during the incident, including taking the researcher's warning seriously and maintaining robust zero trust controls and logging. These measures enabled the security operations center to quickly trace the credential exposure to a single individual, identified as a contractor, and confirm that the leaked credentials were not used outside of CISA's environments.
As part of its immediate response, CISA temporarily took its development environment offline and reset all access credentials. The agency also revoked the access credentials of the individual responsible for the exposure. A digital forensic investigation revealed that the individual had uploaded copies of a CISA build and deployment repository to their personal GitHub account to autonomously create cloud infrastructure. This repository contained CISA's Infrastructure As Code and build code, and critically, the individual had included both administrative and build credentials within the public repository.
The reporting process, however, could have been more streamlined. GitGuardian indicated that its automated secrets-finding system had already contacted the GitHub commit author nine times prior to the official report, warning about the information exposure. On May 14, 2026, researchers directly reported the leak to the U.S. CERT Coordination Center's portal and also leveraged their professional network. When only an automated confirmation was received and the weekend approached, they engaged investigative journalist Brian Krebs, which ultimately led to direct communication with CISA researchers on May 15, 2026.
Valadon pointed out that while CISA acted quickly once engaged, the path to leadership awareness was "unnecessarily complicated." He urged all organizations to simplify the process for reporting security alerts. The incident underscores the importance of coordinated vulnerability disclosure programs, a topic recently emphasized in a joint advisory from CISA, the NSA, and international cybersecurity agencies. This advisory specifically recommended using a security.txt file to provide clear instructions for security researchers reporting vulnerabilities, a practice CISA has now implemented on its own domain.
CISA also identified a significant gap in its preparedness: the absence of a specific security playbook for responding to data leaks from cloud repositories like GitHub. The agency had to create one as part of its incident response, adding to the overall time taken. Moving forward, CISA is committed to tightening controls on the use of public code repositories and has begun scanning its own code repositories for exposed secrets, recommending that all organizations adopt similar practices. The agency is also consolidating its development environments to enforce stronger security guardrails and is refining its incident response playbooks.