798
‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub (gizmodo.com)
submitted 1 week ago by throws_lemy@reddthat.com to c/technology@lemmy.world
90 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] Mulligrubs@lemmy.world 18 points 6 days ago* (last edited 6 days ago)

Passwords were stored as plain text in a public GitHub repository.

Governments and corporations are made up of people, and when people see other people treated like garbage, they tend to become less diligent in their own duties, and loyalty is thrown out the window. Revenge is never off the table.

Also, even if you get rid of everybody so that no witnesses of your injustice remain, you've filled those positions with neophytes, who are incompetent for quite some time (at least).

that's the notorious "double whammy catch-22 fuck around find out" phenomenon, a TRIPLE THREAT

[-] Marshezezz 16 points 6 days ago

We could just burn everything down and return to jungle law where the fascists will realize really quick how coddled they’ve been in life

[-] mynameisbob@lemmy.ml 7 points 6 days ago

U.S. Cybersecurity Agency == Chat_gipity_techno_turds or short version doge_after_birth... like top jorb in the land man...or should be. Always running from or running to. Constipation or diarrhea

[-] demonsword@lemmy.world 215 points 1 week ago* (last edited 1 week ago)

vibe code go brrrrrrr

EDIT: wow it's far worse, it was a single contractor that decided that his convenience was above any and all security recommendations ever written. Pure. Genius!

[-] lIlIlIlIlIlIl@lemmy.world 78 points 1 week ago

Leaving passwords in plaintext has zero to do with “vibe coding”

[-] demonsword@lemmy.world 27 points 1 week ago

yeah, and this is why I edited my original post after reading the article.

[-] crusa187@lemmy.ml 45 points 1 week ago

Only the best people

load more comments (1 replies)
[-] wonderingwanderer@sopuli.xyz 16 points 1 week ago

Contractor, eh?

How much do you wanna bet he has close personal ties to the trump family and zero cybersecurity experience?

[-] pulsewidth@lemmy.world 199 points 1 week ago

Six months of exposure.

There is zero chance that the CISA systems have not been comprehensively breeched by every foreign adversary.

Good thing Trump cut 1/4 of their workforce last year. It's really paying dividends for Putin.

[-] SaveTheTuaHawk@lemmy.ca 91 points 1 week ago

[-] mPony@lemmy.world 29 points 1 week ago

that chain saw is not at the correct height

load more comments (4 replies)
[-] homesweethomeMrL@lemmy.world 27 points 1 week ago

All going to plan, comrade

[-] henfredemars@lemdro.id 19 points 1 week ago

Breached? But we left the keys in the ignition and the door was wide open. We could have, you know, tried.

[-] flandish@lemmy.world 13 points 1 week ago

reminds me of when i lived in nashville and there had to be news bulletins reminding people to not leave firearms in their cars, as they were getting stolen.

load more comments (2 replies)
load more comments (1 replies)
[-] zd9@lemmy.world 112 points 1 week ago

jesus christ

This regime has caused so much damage to our national security, much of which we won't discover for years or decades. The Russians and Chinese (and literally anyone else) are probably fully infiltrated into our entire system in every aspect. SO fucking incompetent and corrupt.

[-] henfredemars@lemdro.id 46 points 1 week ago* (last edited 1 week ago)

We’re barely even trying with the massive cuts to cyber security. It’s almost the exact playbook you would use if leadership were actively hostile.

[-] zd9@lemmy.world 48 points 1 week ago

Trump and co are actively hostile to the US government though. There have been entire books written about how compromised he is. He's the perfect insider threat example: in debt to foreign powers, selfish and looking to make personal money, lies about his dealings, easily temptable with honeypot women (and Epstein girls, fucking sick), no allegiance or any form of duty to country or anything bigger than himself because he's a massive nihilist narcissist.

Really really scary times for anyone in America.

[-] Aqarius@lemmy.world 19 points 1 week ago

Don't worry, soon the folks in charge will come to the inevitable conclusion that the government systems are all compromised, so clearly the only solution is to privatise them and have thevNSA run by Palantir.

[-] Lost_My_Mind@lemmy.world 19 points 1 week ago

See, that's the thing. I always grew up with the phrase "Don't blame on malice what can be explained by incompetence".

But at a certain point, IS it incompetence anymore??? At this point it's starting to feel very very deliberate.

[-] kent_eh@lemmy.ca 12 points 1 week ago

In this case it is both malice and incompetence acting together to create the worst possible outcomes.

load more comments (1 replies)
load more comments (2 replies)
[-] homesweethomeMrL@lemmy.world 95 points 1 week ago* (last edited 1 week ago)

Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

But wait

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers.

This is shameful incompetence. Just head-rolling abysmal incompetence. These are the people they hired, for all you 1337 hax0rz currently looking.

[-] atomicbocks@sh.itjust.works 44 points 1 week ago

As a dev who’s been unemployed for 18 months your last sentence was pretty much my first thought when reading the article.

load more comments (1 replies)
[-] CosmicTurtle0@lemmy.dbzer0.com 12 points 1 week ago

Outside of the sheer incompetence of this administration, is there ANY chance this was done intentionally as a honeypot or something along those lines?

The fact that the commits were explicit along with bypassing all the checks could read as someone trying to see who knocks on the door.

[-] phutatorius@lemmy.zip 1 points 6 days ago

Not a honeypot. Treason.

[-] homesweethomeMrL@lemmy.world 15 points 1 week ago

I don’t see it. Like the guy in the article said, it starts out looking like a joke . . . Buuuut it ain’t.

[-] TheVoiceOfRaison@thelemmy.club 11 points 1 week ago

ELIT please.

Explain like im Trump in case you didn't get the T bit. Sorry.

[-] henfredemars@lemdro.id 22 points 1 week ago* (last edited 1 week ago)

Our best and finest left the safe combo next to the safe and then left for 6 months.

load more comments (1 replies)
load more comments (4 replies)
load more comments (1 replies)
[-] boatswain@infosec.pub 84 points 1 week ago

Here's a link to the Krebs on Security article that Gizmodo used as a source: https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

[-] mlg@lemmy.world 83 points 1 week ago* (last edited 1 week ago)

GitHub gets autoscanned by thousands of malicious actors for keys and credentials on every commit, including the comments lol.

The fact that CISA themselves never saw an automated breach attempt only minutes after pushing to github is the more interesting story here.

Either the contractor is so incompetent that they didn't have any logging set up and the breach went completely unnoticed for 6 months.

Or this really is some fat honeypot that they won't admit is a honeypot because they've been using it to watch or bait APTs.

Currently, there is no indication that any sensitive data was compromised as a result of this incident

This is literally impossible unless it really was a honeypot. You can demo this yourself in real time. Make a throwaway cloud account on your favorite provider, commit the cloud auth token into a repo, and you will see an automated bot login within minutes.

Commiting any secrets to a public repo should just be considered auto compromised because of how potent it is.

That stuff ususlly gets exposed via poor CI/CD permissions where credentials are required, but straight up file commit is like publicly announcing exactly where you left your house keys lol.

[-] Ironfacebuster@lemmy.world 31 points 1 week ago

Can confirm, with one of my first discord bots I accidentally committed the token and within a day someone logged in and announced in every server it was in that the token was compromised

[-] Taldan@lemmy.world 28 points 6 days ago

Based greyhat

load more comments (2 replies)
[-] whotookkarl@lemmy.dbzer0.com 70 points 1 week ago

Imagine fucking up so bad security researchers think it must be an obvious honey pot until they see what the credentials give access to

[-] dreadbeef@lemmy.dbzer0.com 50 points 1 week ago

This isnt a leak. This is incompetency.

[-] LodeMike@lemmy.today 12 points 6 days ago

"Store gets robbed after owner leaves door wide open at night"

[-] dreadbeef@lemmy.dbzer0.com 3 points 6 days ago

"Store owner invited robbers at night to steal their own goods" is how this article would word that

[-] db2@lemmy.world 36 points 1 week ago

"Leak"

[-] Kowowow@lemmy.ca 14 points 1 week ago

Not exactly a B&E if I leave my keys where others can use them

[-] dhork@lemmy.world 36 points 1 week ago

Why are people acting surprised? This is exactly what DOGE intended to do.

load more comments (3 replies)
[-] wonderingwanderer@sopuli.xyz 30 points 1 week ago

Is this the same cybersecurity agency that fired all its professionals to replace them with sycophants?

[-] BaroqueInMind@piefed.social 29 points 1 week ago

Its dumb shit like this that reassures me that AI will definitely take over cyber security jobs and make shit even LESS secure than everything already is.

[-] fullsquare@awful.systems 10 points 1 week ago

the few who will stay sharp will have endless job security

[-] phutatorius@lemmy.zip 2 points 6 days ago

You'll have a history of pushing back so they'll regard you as a potential problem employee.

[-] fullsquare@awful.systems 2 points 6 days ago

good luck with picking and choosing after brainrot as a service does irreparable damage

[-] TryingToBeGood@reddthat.com 10 points 1 week ago

OMG

[-] wewbull@feddit.uk 10 points 1 week ago* (last edited 1 week ago)

...but remember, everything needs to be written in memory safe languages to stop security breaches.

load more comments (2 replies)
[-] SabinStargem@lemmy.today 10 points 1 week ago

load more comments
view more: next ›
this post was submitted on 19 May 2026
798 points (100.0% liked)

Technology

84940 readers
5273 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws