May 22, 2026
Leaked, dragged, and ratioed
Lawmakers Demand Answers as CISA Tries to Contain Data Leak
Congress wants receipts after CISA’s own secrets spilled onto the internet
TLDR: Lawmakers are pressing CISA after a contractor reportedly exposed agency access keys and other internal secrets on a public GitHub page, with some of those digital “keys” still not fully replaced days later. Online, people are roasting the agency for a basic-looking blunder while others blame leadership cuts and a collapsing security culture.
Washington is demanding answers after a contractor for CISA — the U.S. agency meant to help protect government and critical systems from hacks — allegedly posted a stash of agency secrets on a public GitHub page. And the internet’s reaction? Absolute disbelief mixed with savage dunking. The most viral mood came from one dry comment mocking CISA’s claim that there was “no indication” sensitive data was compromised: “Oh wow. Except for those secrets.” That one pretty much set the tone.
Commenters were split between outrage and grim resignation. Some called it an embarrassing own goal for the very agency supposed to teach everyone else about security. Others zeroed in on the human drama: this reportedly looked less like a mastermind leak and more like someone using a public code site as a messy personal notepad to move work between machines — which prompted a chorus of “isn’t this basic stuff?” One commenter flatly asked whether this wasn’t “git 101,” the coding equivalent of “don’t leave your house keys taped to the front door.”
Then came the political fireworks. Some argued the scandal proves CISA is failing and doesn’t deserve more funding. Others fired back that gutting the agency of experts and leaders may have helped create exactly this kind of chaos. The result is a classic comment-section pile-on: part clown show, part policy fight, and all-around terrible optics for an agency now scrambling to lock the doors after the keys were already tossed outside.
Key Points
- •A CISA contractor allegedly published plaintext credentials, including AWS GovCloud keys and other agency secrets, on a public GitHub repository called “Private-CISA.”
- •Experts cited by the report said the repository’s commit logs showed GitHub’s protections against publishing secrets in public repos had been disabled.
- •CISA acknowledged the leak, said it had no indication sensitive data was compromised, and did not answer questions about how long the data had been exposed.
- •Sen. Maggie Hassan and Reps. Bennie Thompson and Delia Ramirez sent letters demanding explanations from Acting Director Nick Andersen.
- •More than a week after GitGuardian notified CISA, the agency was still revoking exposed secrets; Dylan Ayrey said at least one RSA private key still allowed powerful access to CISA GitHub resources.