BrianKrebsMay 18

New, by me: CISA Admin Leaked AWS GovCloud Keys on GitHub

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

Show threadBrianKrebsMay 18
It's possible this set of instructions by the CISA contractor might have caused all the trouble:
Show threadTheTomas
@briankrebs Seems this dude doesn't know how git works and the organisation did not enforced Separation of work and private stuff (on different devices!).
May 19 at 5:03amWeb
Show threadTroubleMay 19
@TheTomas @briankrebs github encourages the mixing, because even with a paid corporate github setup, you can't tell who your employees are, and whether it's a brand new or personal account. So to "properly" fix this, you must stand up your own git instances instead (with their own user account partitioned off from public logins).
Show threadTheTomasMay 19
@trouble @briankrebs Well, there is a reason why I don’t use Microsoft GitHub. I also recommend using your own GitLab or Forgejo instances, public or private, with GitHub serving as a mirror at most.
Show threadTroubleMay 19

@TheTomas @briankrebs well that's not how governments work. Anything they can contract out, they will. Bidding processes are required to be open.

Of course, personally I follow good separation/cleanliness practices and have separate logins for personal and work stuff. Ditto for hardware. I might occasionally ssh from a work machine to my personal spaces, but that's about it. I feel sorry for those that don't, e.g. personal photos, docs on a work device that gets remotely wiped.