What finally made me stop procrastinating on it was reading about the CISA leak.
A contractor for the Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository called "Private-CISA" that exposed administrative credentials to three AWS GovCloud accounts, dozens of plaintext passwords, and internal deployment configs [S1]. It was created on November 13, 2025, and stayed public until security researchers flagged it on May 15, 2026 [S1]. That's six months. This wasn't a sophisticated attack. Someone disabled GitHub's default secret detection, committed files named "importantAWStokens" and "AWS-Workspace-Firefox-Passwords.csv," and left them open to anyone with an internet connection [S1].
Guillaume Valadon from GitGuardian called it "the worst leak that I've witnessed in my career" [S1]. Philippe Caturegli from Seralys confirmed the credentials could authenticate to three AWS GovCloud accounts at a high privilege level and reach CISA's internal artifactory, the repository of every code package used to build their software. The keys stayed valid for 48 hours after the repo was taken offline.
If this can happen to a federal cybersecurity agency, it can happen to your SaaS. The difference is you don't have a security team to clean up after you. You have you, at night, rotating keys.






