New, by me: Lawmakers Demand Answers as CISA Tries to Contain Data Leak<\/p>
\"Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.\"<\/p>
From the story: <\/p>
\"KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets.\"<\/p>
\"On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn\u2019t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories.\"<\/p>
https:\/\/krebsonsecurity.com\/2026\/05\/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak\/<\/a><\/p>","url":"https:\/\/infosec.exchange\/@briankrebs\/116619211861422630","status_net":{"notice_id":null}},"to":[{"objectType":"http:\/\/activitystrea.ms\/schema\/1.0\/collection","id":"http:\/\/activityschema.org\/collection\/public"}],"status_net":{"conversation":"tag:gnusocial.jp,2026-05-22:objectType=thread:nonce=7310d47b0d36a25b","notice_info":{"local_id":"12637005","source":"ActivityPub","repeat_of":"12636699"}},"published":"2026-05-22T17:40:26+00:00","provider":{"objectType":"service","displayName":"GNU social JP","url":"https:\/\/gnusocial.jp\/"},"title":"dalias repeated a notice by briankrebs","verb":"share","url":"https:\/\/hachyderm.io\/users\/dalias\/statuses\/116619452315412146\/activity"},{"actor":{"id":"https:\/\/infosec.exchange\/users\/briankrebs","displayName":"BrianKrebs","status_net":{"avatarLinks":[{"url":"https:\/\/gnusocial.jp\/avatar\/21764-original-tmp20231104212340.webp","rel":"avatar","type":"image\/webp","width":400,"height":400},{"url":"https:\/\/gnusocial.jp\/avatar\/21764-96-20231108132353.webp","rel":"avatar","type":"image\/webp","width":96,"height":96},{"url":"https:\/\/gnusocial.jp\/avatar\/21764-48-20231108132353.webp","rel":"avatar","type":"image\/webp","width":48,"height":48},{"url":"https:\/\/gnusocial.jp\/avatar\/21764-24-20231108132353.webp","rel":"avatar","type":"image\/webp","width":24,"height":24}],"profile_info":{"local_id":"21764"}},"image":{"url":"https:\/\/gnusocial.jp\/avatar\/21764-96-20231108132353.webp","rel":"avatar","type":"image\/webp","width":96,"height":96},"objectType":"person","summary":"Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Signal: briankrebs.07 krebsonsecurity @ gmail .comLinkedin: https:\/\/www.linkedin.com\/in\/bkrebs","url":"https:\/\/infosec.exchange\/@briankrebs","portablecontacts_net":{"preferredUsername":"briankrebs","displayName":"BrianKrebs","note":"Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Signal: briankrebs.07 krebsonsecurity @ gmail .comLinkedin: https:\/\/www.linkedin.com\/in\/bkrebs"}},"content":" There's a tendency for organizations to react to inadvertently exposing secrets in public code repositories by disabling the repo in question on GitHub, but then taking their time to rotate the exposed credentials. I guess the thinking is that well, maybe nobody noticed. And that's pure folly. From today's story:<\/p> \"Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits.\"<\/p> \"In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2025, Ayrey said.<\/p> \u201cWe monitor that firehose of data for keys, and we have tools to try to figure out whose they are,\u201d he said. \u201cWe have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.\u201d\"<\/p>","generator":{"id":"tag:gnusocial.jp,2026-05-28:notice-source:ActivityPub","objectType":"application","status_net":{"source_code":"ActivityPub"}},"id":"https:\/\/infosec.exchange\/users\/briankrebs\/statuses\/116619418737674677","object":{"id":"https:\/\/infosec.exchange\/users\/briankrebs\/statuses\/116619418737674677","objectType":"note","content":" There's a tendency for organizations to react to inadvertently exposing secrets in public code repositories by disabling the repo in question on GitHub, but then taking their time to rotate the exposed credentials. I guess the thinking is that well, maybe nobody noticed. And that's pure folly. From today's story:<\/p> \"Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits.\"<\/p> \"In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2025, Ayrey said.<\/p> \u201cWe monitor that firehose of data for keys, and we have tools to try to figure out whose they are,\u201d he said. \u201cWe have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.\u201d\"<\/p>","url":"https:\/\/infosec.exchange\/@briankrebs\/116619418737674677","status_net":{"notice_id":null},"inReplyTo":{"objectType":"note","id":"https:\/\/infosec.exchange\/users\/briankrebs\/statuses\/116619211861422630","url":"https:\/\/infosec.exchange\/@briankrebs\/116619211861422630"}},"to":[{"objectType":"http:\/\/activitystrea.ms\/schema\/1.0\/collection","id":"http:\/\/activityschema.org\/collection\/public"}],"status_net":{"conversation":"tag:gnusocial.jp,2026-05-22:objectType=thread:nonce=7310d47b0d36a25b","notice_info":{"local_id":"12637004","source":"ActivityPub"}},"published":"2026-05-22T17:40:25+00:00","provider":{"objectType":"service","displayName":"GNU social JP","url":"https:\/\/gnusocial.jp\/"},"verb":"post","url":"https:\/\/infosec.exchange\/@briankrebs\/116619418737674677"},{"actor":{"id":"https:\/\/cyberplace.social\/users\/GossiTheDog","displayName":"Kevin Beaumont","status_net":{"avatarLinks":[{"url":"https:\/\/gnusocial.jp\/avatar\/38360-original-tmp20251103132446.webp","rel":"avatar","type":"image\/webp","width":400,"height":400},{"url":"https:\/\/gnusocial.jp\/avatar\/38360-96-20251103140751.webp","rel":"avatar","type":"image\/webp","width":96,"height":96},{"url":"https:\/\/gnusocial.jp\/avatar\/38360-48-20251103133701.webp","rel":"avatar","type":"image\/webp","width":48,"height":48},{"url":"https:\/\/gnusocial.jp\/avatar\/38360-24-20251103154349.webp","rel":"avatar","type":"image\/webp","width":24,"height":24}],"profile_info":{"local_id":"38360"}},"image":{"url":"https:\/\/gnusocial.jp\/avatar\/38360-96-20251103140751.webp","rel":"avatar","type":"image\/webp","width":96,"height":96},"objectType":"person","summary":"Cybersecurity weather person and award winning shitposter. Shitposting is an anagram of Top Insights. You may be surprised to know I am not representing my employer here and these are not their opinions.I have Direct Messages disabled - you can send them, but I will never receive them.","url":"https:\/\/cyberplace.social\/@GossiTheDog","portablecontacts_net":{"preferredUsername":"GossiTheDog","displayName":"Kevin Beaumont","note":"Cybersecurity weather person and award winning shitposter. Shitposting is an anagram of Top Insights. You may be surprised to know I am not representing my employer here and these are not their opinions.I have Direct Messages disabled - you can send them, but I will never receive them."}},"content":" @briankrebs<\/a> cybersecurity is hard<\/p>","generator":{"id":"tag:gnusocial.jp,2026-05-28:notice-source:ActivityPub","objectType":"application","status_net":{"source_code":"ActivityPub"}},"id":"https:\/\/cyberplace.social\/users\/GossiTheDog\/statuses\/116619222214450923","object":{"id":"https:\/\/cyberplace.social\/users\/GossiTheDog\/statuses\/116619222214450923","objectType":"note","content":" @briankrebs<\/a> cybersecurity is hard<\/p>","url":"https:\/\/cyberplace.social\/@GossiTheDog\/116619222214450923","status_net":{"notice_id":null},"inReplyTo":{"objectType":"note","id":"https:\/\/infosec.exchange\/users\/briankrebs\/statuses\/116619211861422630","url":"https:\/\/infosec.exchange\/@briankrebs\/116619211861422630"}},"to":[{"objectType":"http:\/\/activitystrea.ms\/schema\/1.0\/person","id":"https:\/\/infosec.exchange\/users\/briankrebs"},{"objectType":"http:\/\/activitystrea.ms\/schema\/1.0\/collection","id":"http:\/\/activityschema.org\/collection\/public"}],"status_net":{"conversation":"tag:gnusocial.jp,2026-05-22:objectType=thread:nonce=7310d47b0d36a25b","notice_info":{"local_id":"12636700","source":"ActivityPub"}},"published":"2026-05-22T16:42:01+00:00","provider":{"objectType":"service","displayName":"GNU social JP","url":"https:\/\/gnusocial.jp\/"},"verb":"post","url":"https:\/\/cyberplace.social\/@GossiTheDog\/116619222214450923"},{"actor":{"id":"https:\/\/infosec.exchange\/users\/briankrebs","displayName":"BrianKrebs","status_net":{"avatarLinks":[{"url":"https:\/\/gnusocial.jp\/avatar\/21764-original-tmp20231104212340.webp","rel":"avatar","type":"image\/webp","width":400,"height":400},{"url":"https:\/\/gnusocial.jp\/avatar\/21764-96-20231108132353.webp","rel":"avatar","type":"image\/webp","width":96,"height":96},{"url":"https:\/\/gnusocial.jp\/avatar\/21764-48-20231108132353.webp","rel":"avatar","type":"image\/webp","width":48,"height":48},{"url":"https:\/\/gnusocial.jp\/avatar\/21764-24-20231108132353.webp","rel":"avatar","type":"image\/webp","width":24,"height":24}],"profile_info":{"local_id":"21764"}},"image":{"url":"https:\/\/gnusocial.jp\/avatar\/21764-96-20231108132353.webp","rel":"avatar","type":"image\/webp","width":96,"height":96},"objectType":"person","summary":"Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Signal: briankrebs.07 krebsonsecurity @ gmail .comLinkedin: https:\/\/www.linkedin.com\/in\/bkrebs","url":"https:\/\/infosec.exchange\/@briankrebs","portablecontacts_net":{"preferredUsername":"briankrebs","displayName":"BrianKrebs","note":"Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Signal: briankrebs.07 krebsonsecurity @ gmail .comLinkedin: https:\/\/www.linkedin.com\/in\/bkrebs"}},"content":" New, by me: Lawmakers Demand Answers as CISA Tries to Contain Data Leak<\/p> \"Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.\"<\/p> From the story: <\/p> \"KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets.\"<\/p> \"On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn\u2019t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories.\"<\/p>