The federal cybersecurity agency scrambled to respond after a contractor leaked sensitive credentials, revealing gaps in incident response planning.