5/19/2026 at 2:53:28 PM
>Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.obviously leaking the credentials itself is crazy, given that its (a contractor to) CISA, but to not respond when notified? crazy crazy.
but wait! it gets worse somehow
"“AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems"
while i understand and sympathize with the fact that CISA is kind of being gutted, a passwords.csv with weak passwords is inexcusable incompetence. not much budget is required for a password manager.
embarrassing all around.
by john_strinlai
5/19/2026 at 3:09:23 PM
The word you're looking for is "gross negligence"by tantalor
5/19/2026 at 4:42:46 PM
Sometimes I feel like it's a cover for some other org actually just wanting to steal the data and this being the excuse.by gleenn
5/19/2026 at 6:01:01 PM
You mean like if our government was compromised at the highest levels and they wanted to undermine everything without the public realizing? Btw what happened to all the social security data that DOGE exfiltrated?by bix6
5/19/2026 at 7:22:24 PM
When empires collapse, it's usually not caused by a foreign power, but by negligence and corruption from withinby juvoly
5/19/2026 at 6:48:08 PM
the fact we're asking about it means the public realizedthe problem is the public is dumb, at least when it comes to security, and couldn't tell you why password123 is bad
by red-iron-pine
5/19/2026 at 7:20:10 PM
I think most people realize that leaving your passwords in public is dangerous.by bix6
5/19/2026 at 8:58:53 PM
Don't they call this "parallel construction" or some such ?by HoldOnAMinute
5/19/2026 at 3:13:30 PM
"crazy crazy" gets the same point acrossby john_strinlai
5/19/2026 at 4:05:26 PM
Yeah, but the words gross negligence is legal for you're going to be sued for a whole lot of money.by binkHN
5/19/2026 at 4:25:10 PM
While I agree that it should not have happened, at the same time its probably true that most people are never formally trained on security.The real story here is a big gap in existing implementations where shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases. People are naturally more sensitive about their personal secrets than something thats shared across the company/group
by sandeepkd
5/19/2026 at 4:50:20 PM
The real story here is a big gap in existing implementations where shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases.This strikes me as so wrong, I wonder if I’m misreading your comment. For instance, team password managers are a thing. And IT teams at many large corporations are not passing around an unsecured CSV files full of passwords.
by mikestew
5/19/2026 at 5:13:36 PM
Lets take a concrete example, suppose you have AWS root account credentials. Are you going to assign them to one individual identity or as a company you would keep them accessible to a group of admins. Its going to be the second choice almost for every big company which makes them shared credentials.Coming to team password managers at high level, its a shared location guarded behind closed doors (probably encryption at transit and rest). They would be another set of software that every company specially small business or contractors may not be incentivized to pay for. Some one in their naivety considered Github as a safe enough place, assuming that the access is guarded which turned out to be wrong and exposed this thing.
Lastly IT teams in large corporations being secure is a myth for most part. Your root keys for the most popular CA providers were shared in plain text emails not so long ago.
by sandeepkd
5/20/2026 at 12:30:59 AM
> Lets take a concrete example, suppose you have AWS root account credentials. Are you going to assign them to one individual identity or as a company you would keep them accessible to a group of admins.You’d use AWS Organizations so each admin authenticates using their own credentials, gets short-term credentials to access the member account for the handful of operations needing root, and audit usage. It’s not only more secure, it’s also easier:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-ena...
Old school, you’d have a shared password in an encrypted team vault (possibly requiring x of y users to decrypt it) and two FIDO tokens locked in a safe. Again, this is rare and at a federal agency you have a physical security team with 24x7 staffing so you can say “in an emergency, one of the people on this list can get a key out of a safe in the CIO’s office”.
by acdha
5/20/2026 at 3:35:28 AM
great, now apply this to a 4 person startup who are just focussed to get business somehow. This is not on their radar and they would not be willing to spend money to address this either cause its not a problem that they are even aware of.This is a tip of ice-berg, companies like openai, anthropic, perplexity, stripe, all of them have implemented their authentication and security flows in some interpreted language (python, ruby, typescript) cause that was the readily available talent on their product teams and most likely a good number of them do not even have their dependencies locked in.
by sandeepkd
5/20/2026 at 10:32:46 AM
That’s a pretty different scenario than we’re taking here, but it still doesn’t salvage your previous comment. Those people could still use one of the password managers which support this, which again would be easier than what this guy did.by acdha
5/20/2026 at 2:43:32 PM
I am not trying to find an excuse when something is clearly wrong, what I am trying to share is how we ended up in a particular situation. The scenario is not much different, the rationale is that security (secure practices) are not the part of the product offering for most products/contracts. I have lost quite a few battles to management for security, it does helps me to understand how people think and priortize. People don't care for what they do not understand.by sandeepkd
5/19/2026 at 5:26:41 PM
This organization is using AWS apparently. They would store the root account credentials in AWS Secret Manager. That costs $0.40 per month. People in the relevant admin group would have access to them. They would log in with their individual AWS credentials in order to access the root credentials if they need that.But, requiring AWS root credentials itself is an anti-pattern and implies an immature organization. That should not be needed for day-to-day operation.
This is all just ignorance and incompetence, nothing more.
> Lastly IT teams in large corporations being secure is a myth for most part.
This is CISA. The Cybersecurity and Infrastructure Security Agency for the United States. Security is what they're supposed to specialize in.
The only potential excuse here is that DOGE gutted them to a point that has completely compromised their capabilities. However, this situation is bad enough that it suggests that problems predated that incident.
by antonvs
5/19/2026 at 5:43:48 PM
To be honest I do not know how to respond to this, cause this plays out quite often this way and sounds pretty convincing on surface. Unfortunately this is the gap between theory and implementation. There is a reason why the ROOT credentials are called ROOT. In case of anything going wrong, all your regular user accounts would be locked, see how you lock yourself out of this circular dependency. ONE SHOULD NEVER NOT PUT THEIR ROOT CREDENTIALS IN THE SECRET MANAGER OF SAME ACCOUNT. Its a classical circular problem, compilers compiler type. For AWS itself they have this additional concept of management account that allows you to defer this problem to just one more level.Bottomline, you can have any number of boxes to lock other boxes and put their key to bounding box, ultimately there would be one outermost box that is locked by key which is not in any box
by sandeepkd
5/20/2026 at 2:37:59 PM
> In case of anything going wrong, all your regular user accounts would be lockedYou're talking about a very specific and rare scenario, and certainly not something that justifies storing all your passwords in plaintext in a CSV file.
In almost all scenarios where you would need root credentials, having them in the provider's secret manager is fine.
Obviously you need to store root credentials outside of the secret manager as well, but that should be a "break glass" scenario that's only used in emergencies. And you don't store them in plaintext CSV.
> Unfortunately this is the gap between theory and implementation.
I don't disagree that there are many, many organizations that practice bad security. But that doesn't mean there are none that have good security. And one would expect CISA to have good security, otherwise there's really no point in its existence.
There's a difference between saying "this is what most organizations are like" and "this is the way it has to be". The former is true, the latter is false.
by antonvs
5/19/2026 at 5:59:16 PM
We deleted the root credentials efter initial setup where we added mgmt iam accounts used by our automation. If we ever needed them we used the recovery process. All users and services use temporary credentials.by Hikikomori
5/19/2026 at 6:21:26 PM
I made an assumption that you have federated AWS account setup. One organization management AWS account and then federated accounts under it and you are referring to deletion of deletion of ROOT credentials in the federated accounts.Considering thats not the case, what you just did is move the goal post to a account recovery process. Question becomes who has ability to recover the account, in case its tied with email then most likely it has to be a shared email box. What you have now is a much more fragile system in case of custom domains, where whoever is controlling the email domain (DNS management capability) can take over the AWS accounts.
by sandeepkd
5/19/2026 at 6:41:55 PM
One account, org, federated, whatever. You don't need to store the root credentials.An email per account where only security team has access. Whoever can modify domain can already do this.
by Hikikomori
5/19/2026 at 6:04:52 PM
This would be a incorrect representation/comparison of the problem being discussed. The semantics of ROOT account changes in the case when a separate management IAM account is introduced. In this case the question would become how you are securing the ROOT credentials for the separate AWS IAM management account/tenant.by sandeepkd
5/19/2026 at 6:11:56 PM
What part of we store no root credentials is confusing?by Hikikomori
5/19/2026 at 5:11:24 PM
You are right... Most use Excel files ...by realo
5/19/2026 at 6:29:29 PM
>For instance, team password managers are a thing. And IT teams at many large corporations are not passing around an unsecured CSV files full of passwords.It's CURRENTYEAR. No one should be using team password managers or files to store credentials. There should not be storable credentials.
by throwawaypath
5/20/2026 at 12:27:12 AM
None of this is true at the federal level, or at least wasn’t before the current administration. There are standards for all of this, and if you haven’t read them most are quite reasonable — I keep the NIST 800-63 reference handy anytime someone tries to say password expirations are a good idea — and there are people who are paid full time to enforce them.Having a password list or static AWS credentials is not only a direct policy violation but also implies a number of other failures, from monitoring GitHub repo administration and secret scanning to failure to enforce policies against sharing credentials (part of everyone’s standard training), require use of phishing-proof authentication, failure to use short-term credentials, etc. One mistake can be an individual but this is a multiple-manager failure going up to the executive level.
by acdha
5/19/2026 at 5:15:09 PM
> shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases.What do you mean by this? There are password managers and more enterprise-oriented secrets managers, and application platforms typically have integration with them. Individuals shouldn't be using shared secrets. This is a completely solved problem and it's not difficult to set up properly, especially in a cloud environment like AWS, where you can use services like AWS Secrets Manager.
by antonvs
5/19/2026 at 5:46:51 PM
> While I agree that it should not have happened, at the same time its probably true that most people are never formally trained on security.This isn’t a grocery store or something it’s CISA. This is like a gun going off in a cop’s holster while he’s texting and driving without a seatbelt. Yeah he’s a contractor but that doesn’t suddenly allow for such incompetence.
by Forgeties79
5/19/2026 at 6:31:24 PM
I have worked with some of the experienced folks in federal space in the past, who were super smart, experienced and COSTLY from managements perspective. They had the ability to challenge the management on such things. Most of them have either retired, managed out or moved on. What you have here is not a reflection of the individual but the entire management chain. Its a race to make most money and at times these contractors are number of seats to fill at lowest possible cost.by sandeepkd
5/19/2026 at 7:00:25 PM
Totally agreeby Forgeties79
5/19/2026 at 4:54:28 PM
The error and omission of not enforcing mandatory security training covering posting plaintext passwords to public sites for CISA contractors is itself an act of gross negligence.So much so the contracting company’s insurer would cite it as the reason why the claim is not covered by their policy.
by MrDarcy
5/19/2026 at 6:23:49 PM
He worked for CISA. Surely there is either a security clearance with indoctrination and training, or at the very least, some sort of mandatory training/onboarding for all contractor staff?by morpheuskafka
5/20/2026 at 12:24:03 AM
I think willfully not reporting this is gross negligence, but also other things.by nerdsniper
5/19/2026 at 8:25:41 PM
Not defending this person, but it's obvious that this person used Github as a file-sync. Firefox-passwords.html and firefox-bookmarks.html are what you dump before migrating to a new computer and importing them there. An old school practice before FF sync was around.This is mentioned in the article but it stood out enough to call it here.
by uean
5/19/2026 at 3:36:10 PM
Most of the folks I know who were with CISA were purged with the January-March 2025 Doge campaign. 0 notice "we 20 year olds dont understand what you do so fired".A group was working on Diebold voting insecurity, and foreign implant hacking. Gone.
by mystraline
5/19/2026 at 5:13:15 PM
> ...A group was working on Diebold voting insecurity, and foreign implant hacking. Gone...The conspiracy theorist in me from years ago would have stated that maybe this action from DOGE was purposeful...but, nowadays, i see lots more incompetence that merely might present/display as conspiracy! lol :-D
by mxuribe
5/19/2026 at 3:21:46 PM
One the one hand the CISA is being gutted, and on the other hand there is an ever increase of rhetoric about cybersecurity, national interests, critical infrastructure..by totetsu
5/19/2026 at 5:17:32 PM
Complaining about gutting, during examples of gross negligence is kind of a sympathy destroyer for me.by SV_BubbleTime
5/19/2026 at 5:50:06 PM
Complaining about gross negligence, after all the competence has been gutted out, strikes me as misdirected frustration.by ImPostingOnHN
5/20/2026 at 1:26:34 AM
Oh, thats interesting ,. this is one of those things where two people can hear opposite things from the exact same information.by totetsu
5/20/2026 at 1:04:30 AM
Gutting doesn't magically solve incompetence. It's a anti-solultion that people peddle because it requires literally zero thought or nuance.If an organization has systemic incompetence and you gut them, then they're still incompetent but now they're also pressured and therefore more likely to make mistakes. So, you're just in a worse position.
by array_key_first
5/20/2026 at 1:18:56 PM
On the contrary you can argue that gutting should lead to lower number of mistakes/incompetence.There can't be any mistakes if no work is being done.
by jcattle
5/20/2026 at 6:08:17 PM
There's a big mistake in this logic: is work really not getting done?Because a lot of work has to be done regardless of if you have the money or time to do it. Most government work is actually not optional, there are literal laws saying it has to be done.
And that's what we, very predictably, saw with DOGE.
Like, think about it. You fire say 50% of people. What happens to the other 50%? They twiddle their thumbs?
You've worked a job before, right? And you've had coworkers fired or laid off before, right? Okay, what happens to their work?
Does it disappear into the abyss or do you then take it on? Because in all my experience, I take it on. Come on now.
by array_key_first
5/20/2026 at 1:35:48 AM
[dead]by cindyllm
5/20/2026 at 1:51:48 AM
What if they purged all of the competent people and installed party loyalists? That seems to be a recurring theme with this administration. These are guys who unapologetically admire the efficiency of the Nazi party, not realizing that the pervasive incompetence and most levels of the government were one of the driving factors in their ultimate defeat.by jandrese
5/20/2026 at 2:03:16 AM
Gutting organizations _leads to_ these kinds of problems.by ryan_lane
5/19/2026 at 5:05:08 PM
That's why we don't listen to rhetoric.by downrightmike
5/19/2026 at 3:49:43 PM
DOGE. It's DOGE. This is just things going according to plan for people that think the US government is too powerful or that there is a fortune to be made in stealing public sector resources and privatizing them.It is a bad plan that has and will continue to harm people, but it is intentional.
by throwaway5752
5/19/2026 at 5:48:04 PM
Yes, DOGE invented storing lists of text passwords and uploading them somewhere. What a monumental cost savings innovation, surely never been done before!by dude187
5/19/2026 at 4:40:44 PM
Which DOGE employee put this file on GitHub?by parineum
5/19/2026 at 5:04:03 PM
"I didn't create the epidemic, I just fired all the doctors and dissolved the medical schools"Security doesn't happen by magic. It is enforced by process, maintained by people and systems built and run by people. Furthermore, when people are under stress and underresourced, they make more mistakes. This was inevitable given the budget cuts.
You can't fire everyone at AWS and say one intern will support it, and say that it is a profitable and sustainable restructuring. Any fool can see that will fail, so if it were actually implemented by someone who is not a fool, you can conclude it is intentional.
by throwaway5752
5/19/2026 at 5:14:39 PM
The analogy to not posting secrets to the public isn't medical schools and doctors, it's a sign in the bathroom that says "employees must wash hands".by parineum
5/19/2026 at 5:19:47 PM
They replaced the people who put the signs up with people who think signs are too woke.by ceejayoz
5/19/2026 at 7:18:13 PM
[flagged]by stackedinserter
5/19/2026 at 7:26:10 PM
We can know, and we do know.https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-st...
> Elon Musk’s Department of Government Efficiency (DOGE) has fired more than a hundred employees working for the U.S. government’s cybersecurity agency CISA, including “red team” staffers, two people affected by the layoffs told TechCrunch.
https://www.nytimes.com/2025/04/05/us/politics/trump-loomer-...
> For four years, [Trump] nurtured deep resentments about CISA, which had declared that the 2020 election was one of the best run in history, undercutting his false claims that he had been cheated of victory. Weeks after taking office this year, he began a campaign of dismantlement.
> Federal programs that monitored foreign influence and disinformation have been eliminated. Key elements of the warning systems intended to flag possible intrusions into voting software have also been degraded; the effects may not be known until the next major election. And contractors who worked with local election officials to perform cybersecurity testing, usually with federal funding, have found the deals canceled.
> In early March, CISA — which is nested inside the Department of Homeland Security — cut more than $10 million in funding to two critical cybersecurity intelligence-sharing programs that helped detect and deter cyberattacks and that alerted state and local governments about them. One program was dedicated to election security, and the other to broader government assets, including electrical grids.
by ceejayoz
5/20/2026 at 12:36:29 PM
Yeah NYT is so trustful source when it comes to Musk or DOGE, aha.Regardless, do you really think that gov contractors started writing passwords on paper because these layoffs happened?
> Elon Musk’s Department of Government Efficiency (DOGE) has fired more than a hundred employees
How many are left? Hundreds of employees is nothing for government scale.
by stackedinserter
5/19/2026 at 4:45:36 PM
They fired the people who might've prevented that.https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-st...
> Elon Musk’s Department of Government Efficiency (DOGE) has fired more than a hundred employees working for the U.S. government’s cybersecurity agency CISA, including “red team” staffers, two people affected by the layoffs told TechCrunch.
by ceejayoz
5/19/2026 at 4:47:51 PM
Not posting secrets to public GitHub repos doesn't need red teaming.by parineum
5/19/2026 at 4:50:25 PM
A red team might well notice that the build process doesn't check for accidentally committed secrets.by ceejayoz
5/19/2026 at 5:56:41 PM
Storing a bunch of passwords in a plain-text list that an individual can access violates zero-trust AND least-privilege which I think a red team might have some opinions on.by jnovek
5/19/2026 at 7:43:43 PM
At my job the commits wouldn’t have even made it to our private GitHub repo. The scanners would’ve rejected it when you tried to push a commit.They find keys and tokens all the time.
by wil421
5/19/2026 at 4:54:37 PM
And yet, here we are.by gumby271
5/19/2026 at 4:51:44 PM
The one who fired the team that prevented this sort of thing.by skywhopper
5/19/2026 at 5:37:35 PM
What team prevented someone from uploading sensitive information to public sites? This is a billion dollar a year industry (Digital Loss Prevention) and all the solutions suck.by strictnein
5/19/2026 at 5:19:42 PM
I’m not sure you can complain that the people who should prevent this type of thing are having their funding reduced what are the example is they just did this exact thing.by SV_BubbleTime
5/19/2026 at 5:00:49 PM
I really hope they didn't also fire the "don't shit your pants" team or that office is going to smell really bad.by parineum
5/19/2026 at 5:22:47 PM
DOGE only fired those who were loyal to the facist. Anyone who is competent was illegally fired.by malcolmgreaves
5/19/2026 at 5:14:56 PM
[flagged]by scottyah
5/19/2026 at 5:19:42 PM
this does not align with.. well.. anything ive read about DOGEby john_strinlai
5/19/2026 at 6:53:41 PM
[flagged]by scottyah
5/19/2026 at 8:24:50 PM
Per the EO that established DOGE, each Agency head established a 4-member DOGE team consisting of a lead, an engineer, a HR specialist and an attorney. Those DOGE teams absolutely did fire thousands of employees after EO 14210 called for huge RIFs across the government.by mikeyouse
5/19/2026 at 7:52:38 PM
You incorrectly mistake "no authority" for "didn't happen". Judges spank the executive branch for exceeding their authority fairly regularly, including in this case.https://lawandcrime.com/high-profile/no-statutory-authority-...
> The court finds that neither OPM nor OMB have any statutory authority to terminate employees – aside from their own internal employees – "or to order other agencies to downsize" or to restructure other agencies. And, as far as the Elon Musk-led agency is concerned, the judge is withering: "As plaintiffs rightly note, DOGE 'has no statutory authority at all.'"
https://www.reuters.com/world/us/trump-scores-win-suit-chall...
> A judge on Tuesday declined to immediately block Elon Musk's government efficiency department from directing firings of federal workers or accessing databases, but said the case raises questions about Musk's apparent unchecked authority as a top deputy to President Donald Trump.
by ceejayoz
5/19/2026 at 4:02:14 PM
The first "hack" I ever reported was when I found a plaintext passwords file on my high school computer network...in 1987. The more things change, the more they stay the same.by jimt1234
5/19/2026 at 7:41:57 PM
Mine too, but it was in the late 90’s and I found an open table in an access database that the school district used for grades and attendance. It listed plaintext usernames and passwords for every user in the system. I managed to use that to get to know the districts head of IT and get a summer job with them.by g-technology
5/19/2026 at 7:18:47 PM
Machine Head - Struck A NerveThe more things change, the more they stay the same.
Wise words, lovely song.
by JackGreyhat
5/19/2026 at 3:38:53 PM
Sure, it could be incompetence. It could also be an intentional strategy to tie up CISA/DHS resources, poison or obstruct CISA/DHS investigations/operations, open up systems to sunlight and journalism, or cause general chaos.The not-responding-when-notified part makes me think it's not just incompetence.
by modriano
5/19/2026 at 3:43:15 PM
>The not-responding-when-notified part makes me think it's not just incompetence.Strong disagree. The person in question probably thought it was a private repo on Github and had a massive deer in headlights reaction when they got contacted. Whoever this is, lost their job, possibly security clearance and more. This was 100% life altering "mistake"/gross incompetence decision they made.
by stackskipton
5/19/2026 at 4:31:33 PM
the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.That doesn't support the theory that it was a mistake. That was intentional action. Maybe he was being blackmailed, and was coerced to do it. Or maybe he was a foreign agent or sympathizer who had infiltrated the organization.
by SoftTalker
5/19/2026 at 4:45:54 PM
There has been no indication if this was personally owned GitHub or Organizational owned GitHub. If it's personally owned, it still is one person doing massive dumb. Even if it's Organizational, it's very possible that person in question had rights to do this without oversight.I've been a government contractor before, it does not employ best and brightest, it employs the average and below generally.
by stackskipton
5/19/2026 at 3:54:02 PM
Maybe. I didn't see enough in the article about the repo owner/committer to make any inference about their intentions and wouldn't jump to conclude it was incompetence or malice or crafty leaking. The only real signal I saw was that the repo didn't immediately turn private when the person was notified.For some people, yeah, this could be a career killer. For some other people, it might just precipitate a flight back to Moscow or Beijing or something.
by modriano
5/19/2026 at 4:19:22 PM
Dealing with IT departments run wild with cyber security monkeys that can only follow checklists with no independent thought.The spreadsheet of passwords is a tad more common than it should be because the password managers don't meet whatever arbitrary checklist of invented cyber security requirements they blindly follow. But Excel does.
Lol
by delfinom