CISA Credential Exposure and Major Platform Breaches Rock This Week

US cybersecurity agency CISA exposed government credentials via GitHub while ShinyHunters targeted major platforms. Critical week for credential security across sectors.

This week delivered a stark reminder that no organization—not even America's cybersecurity guardian—is immune to credential exposure. The US cybersecurity agency CISA found itself in the headlines after a contractor exposed government credentials in a publicly accessible GitHub repository, while threat actors continued their assault on consumer platforms and educational systems across North America.

Government Credentials Exposed in GitHub Security Lapse

CISA narrowly avoided a major security breach when security researcher Guillaume Valadon discovered plaintext credentials in spreadsheets made publicly accessible in a GitHub repository by a contractor employee. The exposed credentials provided access to CISA and Department of Homeland Security systems, including access tokens, cloud keys, and other sensitive files.

The incident highlights a critical vulnerability in contractor oversight. While traced back to a contractor employee, CISA remains ultimately responsible for the security of its network and systems, including contractor access. The contractor who maintained the GitHub environment failed to respond to security alerts, forcing the researcher to report through media channels.

ShinyHunters Strike Educational and Gaming Platforms

Nearly 9,000 schools were affected in the Instructure ransomware attack orchestrated by ShinyHunters, compromising over 3.65 TB of data belonging to 275 million people, including students, teachers, and staff. Instructure, the educational technology firm behind the Canvas learning management system, disclosed the cybersecurity incident on May 1, 2026, after a criminal threat actor targeted its systems.

NVIDIA's GeForce NOW Alliance partner in Armenia was also breached by actors claiming to be ShinyHunters, exposing user databases including names, email addresses, nicknames, usernames, dates of birth, membership details, 2FA status, and internal roles. The exposed data includes full names, email addresses, phone numbers, dates of birth, and usernames, though users registered after March 9 are not impacted.

Healthcare and Financial Data Under Attack

Access Sports Medicine & Orthopaedics revealed that confidential information belonging to 88,000 patients was stolen, including names, Social Security numbers, dates of birth, and financial, medical, and health insurance information, with suspicious activity detected on May 10.

Two major banks—Citizens and Frost—faced customer lawsuits after the ransomware group Everest claimed it stole 3.4 million records from Citizens and more than 250,000 Social Security numbers from Frost through a third-party vendor breach. Both banks confirmed their own networks had not been breached but acknowledged that customer data including names, addresses, Social Security numbers and financial account information was compromised.

What Individuals Should Do

Government employees and contractors should immediately audit any credentials that may have been shared through collaboration platforms like GitHub. Run dark web scans to search breach databases, stealer malware logs, and criminal forums for your email address and associated credentials. If you're affiliated with affected educational institutions, healthcare providers, or banks, rotate passwords and enable two-factor authentication on all accounts.

Students and educators using Canvas-based systems should monitor for suspicious account activity and consider changing passwords as a precaution. Be particularly vigilant for phishing attempts targeting login credentials, especially those mentioning account verification or security updates.

What Businesses Should Do

Organizations must recognize they remain ultimately responsible for security across all contractor access points and third-party integrations. Deploy continuous attack surface monitoring using automated tools to monitor for exposed credentials and misconfigured cloud services. Implement persistent encryption that travels with data—encrypted files remain useless to threat actors without proper decryption keys.

Educational institutions should audit all Canvas integrations and API access immediately. Healthcare organizations must review third-party vendor agreements and ensure proper oversight of data handling practices. Enforce multifactor authentication, complex passwords, and correct configurations across all cloud services, as only 23% of organizations fully remediate missing or improperly secured MFA on cloud accounts.