Don't publish your passwords on github!
Posted by No-Blueberry-1823@reddit | sysadmin | View on Reddit | 69 comments
https://gizmodo.com/the-worst-leak-that-ive-witnessed-u-s-cybersecurity-agency-leaves-its-digital-keys-out-in-public-on-github-2000760330 Passwords were supposedly saved in a .csv file so i guess we are using Excel spreadsheets to save passwords. What a glorious time to be alive. You can't even figure out if it is stupid or on purpose or both.
CantaloupeCamper@reddit
Counterpoint: Publish your passwords on GitHub.
ForOhForError@reddit
And set it to public. Even better, open some PRs to put them on other people's repos too; sharing is caring.
ashvy@reddit
Well they do say "you've nothing to fear if you've nothing to hide" about personal privacy, so why not publish govt/corpo passwords
Basic_Novel_9203@reddit
Agedlikemilk
elitexero@reddit
If everyone has access, nobody has access
...or something like that.
Silver_Newspaper6208@reddit
Also keep a very clear naming convention. I was looking through the list for 2026-luggage-pass.csv I've got to make sure 123456 is safe.
one-man-circlejerk@reddit
That's the stupidest combination I've ever heard in my life. That's the kind of thing an idiot would have on his luggage!
InfiltraitorX@reddit
Its a free backup... if you need to recover your passwords or financial data you can just ask the hacker group of the moment
mrcomps@reddit
I embrace the fact that my data is located in multiple geographically separate datacenters and backed up... for free.., and all I had to do was run a PowerShell iex command.
I mean, have you actually read all the AWS documentation for how to setup something like that yourself? It's easier and actually much cheaper to just pay one of the freelance data exhilaration consultants to do it for you. Plus... the support is actually better and no egress fees!
Wodaz@reddit
It has full version control built in as well.
shadeland@reddit
It's free real estate!
SnarkFucker@reddit
My national cyber security defense agency did it; it must be legit.
Stvoider@reddit
Security through obscurity
wrosecrans@reddit
The Galaxy Brain version of this is, publish password on Github, then instaban connections from any client that attempts to use one of the honeypot compromised passwords rather than waiting for more aggressive indicators of dangerous behavior.
Adept_Strategy_9545@reddit
I have “zero trust” in CISA anymore between this and the director using public AI models.
ciscotree@reddit
Do as I say, not as I do. I'm guilty of this too sometimes. Never this egregious though.
zaypuma@reddit
Which sucks, because CISA had many promising aspects and programs. Information sharing after breaches has helped (imo) foster a culture that better-understands the business case for security resources, and provided realistic models to help internally game out responses.
But yeah, talk about being an absolute model of information sharing, uploading such shameful spreadsheets. Maybe, just like politicians, we should just reboot and restaff these agencies every decade or so with lessons-learned.
ycnz@reddit
Yeah! Support opensource, publish your passwords on Gitlab!
aVarangian@reddit
to be fair a CSV is an upgrade from a TXT
No-Blueberry-1823@reddit (OP)
How? That text is escaped with quotes. That you have a delimiter? I mean come on that's really not saying much
aVarangian@reddit
If I was a hacker I'd rather get a plain-text assword database as a csv than a txt. Less work.
luckdead@reddit
Isn't there GitHub secret scanner for this very reason,?
No-Blueberry-1823@reddit (OP)
Maybe?
theMightBoop@reddit
This is what kills me about password policies forcing longer and more complex password. The vulnerability is not brute force attacks. It’s leaking password list Every.freaking.time.
No-Blueberry-1823@reddit (OP)
Well they're supposed to put them in a repository not a spreadsheet
wiwtft@reddit
This is in a CSV right? Every commercial password manager allows you to export to CSV. The government loves to swap products all the time because of new contracts. I am almost certain this happened because they switched password managers and someone exported to CSV and imported and the file sat somewhere until they accidentally uploaded it.
No-Blueberry-1823@reddit (OP)
Thank you! That at least makes some sense. It's still sloppy as all get out but it's in the realm of possibility I guess
Exploding_Testicles@reddit
APIs, Session Keys, passwords.
Trust_8067@reddit
Who would use excel to save passwords. Notepad opens up much quicker.
DehydratedButTired@reddit
Leadership playing with Claude code.
aVarangian@reddit
Excel sucks at handling csv files, so no one
skippy_smooth@reddit
Toss them on the motd
Twist_and_pull@reddit
Youre right on that, maybe exported to csv from aws cli lol.
mustang__1@reddit
Isn't this the agency that's supposed to like... have it's shit together for shit like this?
xendr0me@reddit
Apparently I saw somewhere it was a contractor of CISA, not exactly CISA directly. Everyone knows contractors don't follow any rules, even though they sign the MOU's and MCA's
wiwtft@reddit
This is still on the agency though. It's a real push pull in fed work as so many agencies either have or are pushing to go all contractors in IT without realizing contractors have no loyalty because you have no loyalty to them. They are always thinking about the next job and are not the same as people who want to join federal service for life.
notmyredditacct@reddit
hunter2.csv - see, you can't even view the file name, it's all stars, right.. right?
Natural_Feeling3905@reddit
I just use password on everything. Much easier.
wwbubba0069@reddit
Hunter2
techslice87@reddit
FrostyDoughnut8769@reddit
“That’s crazy, that’s the same code as my luggage!”
Practical-Alarm1763@reddit
CISA posted passwords stored in a csv file on a public GitHub Repo... Left it there for 6 months...
2ndtryagain@reddit
You are not my Dad!
ZaMelonZonFire@reddit
Wait, this is a bad ideaaaaa?
Cley_Faye@reddit
People think this was a honeypot… but these days, the level of incompetency really is that high.
anxiousvater@reddit
From the blog:: "Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level."
I wouldn't be surprised, these are IAM credentials. Nice job guys.
BCIT_Richard@reddit
I wonder how this plays out legally, he verified the creds worked, but that also reads as unauthorized access to a government system.
RegularMixture@reddit
Told a robot to make a song about this.
Enjoy tonights entertainment.
skeetgw2@reddit
I’ve never felt better about my career. Sure I’ve broke shit but I’ve never published my tokens and a full password csv to GitHub
Same-Variety3904@reddit
In a public repo nonetheless lol. You can't make this up. I have days where I question if my automation environment (that utilizes github) is genuinely utilizing best practices and properly santized. I stress myself out about this stuff with every single change and implementation I perform as a one man show. Then you hear about things like this and feel a little bit better.
DevelopersOfBallmer@reddit
It's even worse, the contractor was using GitHub to move files between their work and personal computer...
AuroraFireflash@reddit
This is where I like to leverage the various coding agents. Ask it whether I'm overlooking anything stupid or silly with regards to security.
I still have to think, but at least I have a second opinion.
3DPrintedVoter@reddit
Making America Great Again
leogodin217@reddit
What I thought, too, but this started in November.
ITaggie@reddit
The most recent presidential term started in Jan 2025.
3DPrintedVoter@reddit
And who do you think was president in November of 2025?
leogodin217@reddit
D'oh! Got my years mixed up. I'm numb to time these days. 976 days to go. (If I got that right)
d_fa5@reddit
CISA really went down the shitter with the recent administration
thufirseyebrow@reddit
If this shit happened in a TV show, the sitters would be fired for phoning it in so badly. Out of a cannon and into the sun.
punkwalrus@reddit
"The burglar finds, er, Um... The password to the safe is on a yellow post-it! He, ah, sees it on a... Um... On a TV show where they interview the, Um, guy... And he's the head of--"
"Frank. Nobody is that dumb. We're going with hackers infiltrate an abandoned missile silo beneath Prague to crack a titanium safe that only opens during a twelve-second window created by overlapping satellite shadows, using a stolen fingerprint grown in a lab and a violin bow strung with fiber optic wire, only for the owner’s security system to trigger a countermeasure that magnetically locks every metal object in the room to the ceiling while the safe quietly lowers itself into a flooded escape tunnel.”
"I think my idea is better."
https://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1
_Do_The_Needful_@reddit
I'm surprised an agency like that doesn't hodt their own Github Enterprise Server. Incompetence all around.
GX_EN@reddit
LOLOLOLOLOLOL
QuantumRiff@reddit
had to double check this was not r/ShittySysadmin
analoghumanoid@reddit
or r/nottheonion
ugus@reddit
lol
JustCallMeBigD@reddit
Someone better get this guy on the case stat
IdidntrunIdidntrun@reddit
This is why I email my password to the company all distro when I go on vacation. Gotta make sure I can remember it when I get back, so I can ping anyone for it
Decantus@reddit
You're not my real mom! I'll post if I want to!
Gsxing@reddit
“The Worst Leak That I’ve Witnessed (so far).”