Mike Pearl at Gizmodo: ‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub.
Surely the secret information was buried in some obscure folder with an inscrutable name, I hear you saying. The repository was reportedly named “Private-CISA.”
But there’s no way the contents were that sensitive, you object. But the contents included passwords, keys, and tokens—and the passwords were plain text in a .CSV file.
I’ve heard horror stories about people vibe coding and unknowingly exposing their API keys and personal info in GitHub. It seems even “America’s best minds” can make terrible mistakes.