CISA contractor accidentally leaks AWS credentials on personal GitHub account

A CISA contractor accidentally exposed AWS access keys and admin credentials on a personal GitHub account, sparking a major security review at the agency.

CSBadmin
2 Min Read

Weak security controls around public GitHub repositories allowed a contractor for the Cybersecurity and Infrastructure Security Agency to accidentally leak private cloud access keys and other sensitive credentials, according to a rare after-action report published by the agency.

The contractor—attributed to government contractor Nightwing—uploaded copies of a CISA build and deployment repository to a personal GitHub account to create cloud infrastructure autonomously. In the process, they also uploaded administrator credentials, build passwords, and infrastructure-as-code data containing private access keys for Amazon Web Services and other cloud services.

Independent security journalist Brian Krebs first reported the leak in mid-May, triggering intense congressional scrutiny. CISA said it took swift action, taking the contractor’s GitHub repository offline and disabling access to CISA systems. Log analysis determined there was no unauthorized use of the leaked credentials and no customer or mission data was exposed.

The agency acknowledged that rotating the leaked cloud access keys took longer than anticipated due to the complexity of CISA’s interconnected systems with federal and industry partners. CISA also admitted it lacked a playbook for responding to a cloud security leak via GitHub, forcing it to build one mid-incident. The agency has since rotated all secrets, implemented better secrets management, and is refining reporting channels for security researchers.

“It is not a matter of ‘if,’ but ‘when’ a cybersecurity incident will happen to your organization,” CISA said, urging transparency in incident reporting to strengthen trust across the cybersecurity community.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.